{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/cisco-systems/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["credential-access","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Cisco Systems","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eThis rule identifies the execution of Windows utilities commonly abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access. Attackers often leverage these tools to extract sensitive information, such as user credentials and domain secrets. The utilities of interest include procdump, ProcessDump.exe, WriteMiniDump.exe, RUNDLL32.EXE, RdrLeakDiag.exe, SqlDumper.exe, TTTracer.exe, ntdsutil.exe, and diskshadow.exe. The rule focuses on detecting specific command-line arguments and process names indicative of credential dumping activities. This activity is typically associated with post-exploitation phases, where attackers aim to escalate privileges and move laterally within a network. This detection is crucial for defenders as it can reveal ongoing credential theft attempts, allowing for prompt intervention and mitigation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system through various means, such as phishing, exploiting vulnerabilities, or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a privileged process, such as \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e, to perform reconnaissance and identify potential targets for credential dumping.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a utility like \u003ccode\u003eprocdump.exe\u003c/code\u003e with the \u003ccode\u003e-ma\u003c/code\u003e flag to dump the LSASS process memory (\u003ccode\u003eprocdump.exe -ma lsass.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses \u003ccode\u003entdsutil.exe\u003c/code\u003e to create an IFM (Install From Media) snapshot of the Active Directory database (\u003ccode\u003entdsutil.exe \u0026quot;ac i ntds\u0026quot; \u0026quot;ifm\u0026quot; \u0026quot;cr fu c:\\\\temp\u0026quot; q q\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker may use \u003ccode\u003ediskshadow.exe\u003c/code\u003e with a script (\u003ccode\u003e/s\u003c/code\u003e) to create shadow copies of the system volume, potentially including the NTDS.dit file.\u003c/li\u003e\n\u003cli\u003eThe attacker stages the dumped credentials or database files in a temporary directory.\u003c/li\u003e\n\u003cli\u003eThe attacker compresses the staged data using archiving tools for easier transfer.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker exfiltrates the compressed data to an external server for further analysis and credential harvesting.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to widespread credential compromise, allowing attackers to gain unauthorized access to sensitive systems and data. Credential theft can enable lateral movement within the network, privilege escalation, and ultimately, data exfiltration or ransomware deployment. The targeted dumping of LSASS memory exposes user credentials, while the extraction of the Active Directory database can compromise the entire domain. The severity of the impact depends on the scope of the compromise and the sensitivity of the affected data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious process execution patterns indicative of credential dumping (Sigma rule: \u0026ldquo;Potential Credential Access via Procdump\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of known credential dumping utilities with suspicious command-line arguments using the provided Sigma rules, enabling process creation logging via Sysmon (Sigma rule: \u0026ldquo;Potential Credential Access via NTDSUtil\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or untrusted binaries, especially those associated with credential dumping, referencing the list of tools described in the Overview.\u003c/li\u003e\n\u003cli\u003eReview and harden Active Directory security configurations to prevent unauthorized access to the NTDS.dit file, using Microsoft\u0026rsquo;s security guidance.\u003c/li\u003e\n\u003cli\u003eRegularly audit and monitor systems for suspicious file creation and modification events, particularly those involving potential credential dumps, and ensure proper file integrity monitoring is enabled.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-potential-credential-access-windows-utilities/","summary":"This rule detects the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access by identifying specific command-line arguments and process names associated with credential dumping activities.","title":"Potential Credential Access via Windows Utilities","url":"https://feed.craftedsignal.io/briefs/2024-01-potential-credential-access-windows-utilities/"}],"language":"en","title":"CraftedSignal Threat Feed — Cisco Systems","version":"https://jsonfeed.org/version/1.1"}