{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/procdump/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows","Active Directory"],"_cs_severities":["high"],"_cs_tags":["credential-access","lsass","ntdsutil","procdump","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the abuse of legitimate Windows utilities to dump credentials from LSASS memory or the Active Directory database (NTDS.dit). Attackers commonly use these techniques to gain access to sensitive information, such as user credentials and Kerberos tickets, which can then be used for lateral movement and privilege escalation. The utilities commonly used include procdump, ProcessDump.exe, WriteMiniDump.exe, RUNDLL32.exe, RdrLeakDiag.exe, SqlDumper.exe, TTTracer.exe, ntdsutil.exe, and diskshadow.exe. These tools are often abused because they are typically present in a standard Windows installation, making their malicious use harder to detect. This activity is often a precursor to a larger attack, such as ransomware deployment or data exfiltration. The Elastic detection rule was last updated on 2026/04/07, indicating continued relevance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means (e.g., phishing, exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command shell (e.g., cmd.exe or PowerShell) to run reconnaissance commands and identify potential targets.\u003c/li\u003e\n\u003cli\u003eThe attacker uses procdump.exe with the \u003ccode\u003e-ma\u003c/code\u003e flag to create a full memory dump of the LSASS process.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker utilizes RUNDLL32.exe to invoke MiniDump functionality for LSASS process dumping.\u003c/li\u003e\n\u003cli\u003eThe attacker uses ntdsutil.exe to create a snapshot of the Active Directory database (NTDS.dit) if the compromised host is a domain controller.\u003c/li\u003e\n\u003cli\u003eThe attacker uses diskshadow.exe to create shadow copies, which can then be used to access the NTDS.dit database.\u003c/li\u003e\n\u003cli\u003eThe attacker copies the dumped LSASS memory or NTDS.dit file to a location where they can extract credentials offline.\u003c/li\u003e\n\u003cli\u003eThe attacker uses credential extraction tools to parse the dumped memory or database and obtain user credentials and other sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful credential dumping attack can have severe consequences. Attackers can use the compromised credentials to move laterally within the network, access sensitive data, and escalate their privileges. This can lead to data breaches, financial losses, and reputational damage. In environments with Active Directory, a compromise of the NTDS.dit file can result in a complete compromise of the entire domain, affecting all users and systems. Depending on the compromised accounts, attackers can encrypt critical systems with ransomware or exfiltrate sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture command-line arguments for all processes, allowing for detection of credential dumping tools (reference: logsource with category \u0026quot;process_creation\u0026quot; and product \u0026quot;windows\u0026quot;).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious execution of credential dumping utilities.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected execution of \u003ccode\u003eprocdump.exe\u003c/code\u003e with the \u003ccode\u003e-ma\u003c/code\u003e flag, as this is a common indicator of LSASS memory dumping (reference: Sigma rule \u0026quot;Detect Procdump LSASS Memory Dump\u0026quot;).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls on domain controllers to limit which users and systems can access the NTDS.dit file and LSASS process, reducing the attack surface (reference: overview).\u003c/li\u003e\n\u003cli\u003eMonitor for unusual uses of \u003ccode\u003entdsutil.exe\u003c/code\u003e or \u003ccode\u003ediskshadow.exe\u003c/code\u003e, especially on systems that are not domain controllers (reference: Sigma rule \u0026quot;Detect NTDSUtil or Diskshadow Activity\u0026quot;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-credential-dump-tools/","summary":"This brief detects the execution of known Windows utilities such as procdump, ntdsutil, and diskshadow, often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access, potentially leading to widespread compromise.","title":"Potential Credential Access via Windows Utilities","url":"https://feed.craftedsignal.io/briefs/2024-01-credential-dump-tools/"}],"language":"en","title":"CraftedSignal Threat Feed - Procdump","version":"https://jsonfeed.org/version/1.1"}