Credential Theft (MITRE ATT&CK: T1003, T1078)

Note: Sometimes, you may have to customise the queries to your environment. Also, queries will only work if the data is available.

Credential Theft (MITRE ATT&CK: T1003, T1078)

Overview:

Credential theft involves attackers trying to steal valid user credentials through various means such as credential dumping, brute force, and network sniffing. Once credentials are obtained, adversaries use them for lateral movement or privilege escalation.

25 Example Queries for Credential Theft Detection:

1. Detect LSASS Memory Access (Mimikatz) Mimikatz is a well-known tool used to extract credentials from LSASS memory.

DeviceProcessEvents | where FileName == "mimikatz.exe" or ProcessCommandLine has "lsass" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

1. Monitor Execution of Credential Dumping Tools (e.g., ProcDump) ProcDump can be used to dump LSASS for credential extraction.

DeviceProcessEvents | where FileName == "procdump.exe" and ProcessCommandLine has "lsass" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

1. Detect Use of DCSync for Credential Replication Attackers may use DCSync to impersonate a domain controller and request password hashes.

DeviceProcessEvents | where FileName == "mimikatz.exe" and ProcessCommandLine has "lsadump::dcsync" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

1. Track Unusual Access to SAM and SYSTEM Registry Hives Credential information is stored in the SAM and SYSTEM registry hives.

DeviceProcessEvents | where FileName == "reg.exe" and ProcessCommandLine has_any ("save SAM", "save SYSTEM") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

1. Detect Use of NTDSUtil for Credential Extraction NTDSUtil is used to interact with Active Directory databases and can be abused to dump credentials.

DeviceProcessEvents | where FileName == "ntdsutil.exe" and ProcessCommandLine has "IFM" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

1. Monitor PowerShell Credential Dumping Scripts PowerShell scripts such as Invoke-Mimikatz are used to dump credentials.

DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "Invoke-Mimikatz" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

1. Track Unauthorized Access to Cached Credentials (VaultCmd) VaultCmd can be used to list and extract cached credentials.

DeviceProcessEvents | where FileName == "vaultcmd.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

1. Detect Attempts to Dump Password Hashes via SAMR Protocol Attackers may use the SAMR protocol to enumerate user accounts and dump password hashes.

DeviceNetworkEvents | where RemotePort == 445 and ActionType == "ConnectionSuccess" and ProcessCommandLine has "samr" | summarize count() by DeviceName, RemoteIP, AccountName

1. Monitor the Use of Tools Like LaZagne for Credential Extraction LaZagne is a popular tool used to extract stored credentials.

DeviceProcessEvents | where FileName == "lazagne.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

1. Detect Use of Windows Credential Editor (WCE) Windows Credential Editor is used to extract password hashes from memory.

DeviceProcessEvents | where FileName == "wce.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

1. Track Unusual LSASS Process Access via Task Manager Direct access to the LSASS process by unauthorized tools may indicate credential dumping.

DeviceProcessEvents | where FileName == "taskmgr.exe" and ProcessCommandLine has "lsass" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

1. Monitor the Use of Net Commands for Account Enumeration Net user and net group commands are often used for account and group enumeration.

DeviceProcessEvents | where FileName == "net.exe" and ProcessCommandLine has_any ("user", "group") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

1. Detect Brute Force Attacks by Tracking Multiple Failed Logons Multiple failed logon attempts in a short time may indicate a brute force attack.

DeviceLogonEvents | where ActionType == "LogonFailed" | summarize count() by AccountName, DeviceName, RemoteIP | where count_ > 5

1. Monitor the Use of KERBROAST for Ticket Extraction KERBROAST is used to extract and crack Kerberos ticket hashes.

DeviceProcessEvents | where FileName == "Invoke-Kerberoast.ps1" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

1. Detect Unusual Access to LSA Secrets via Registry Access LSA secrets stored in the registry can be accessed to extract credentials.

DeviceRegistryEvents | where RegistryKey contains "LSA" and ProcessCommandLine has_any ("save", "export") | summarize count() by DeviceName, InitiatingProcessAccountName, RegistryKey

1. Monitor the Use of Pass-the-Hash Techniques via NTLM Pass-the-hash attacks leverage stolen NTLM hashes to authenticate without knowing the password.

DeviceLogonEvents | where AuthenticationPackage == "NTLM" | summarize count() by AccountName, DeviceName, RemoteIP

1. Detect Attempts to Access LSASS Memory (Handles, Threads) Attackers may attempt to access LSASS memory directly using various tools.

DeviceProcessEvents | where FileName in ("procdump.exe", "taskmgr.exe", "mimikatz.exe") and ProcessCommandLine has "lsass" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

1. Monitor the Use of CrackMapExec for Credential Attacks CrackMapExec is a post-exploitation tool that can perform credential-related attacks.

DeviceProcessEvents | where FileName == "crackmapexec.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

1. Track Use of BloodHound for Active Directory Credential Enumeration BloodHound is a tool used to map AD objects and identify paths for privilege escalation.

DeviceProcessEvents | where FileName == "bloodhound.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

1. Detect Use of Windows Password Recovery Tools (e.g., Cain & Abel) Password recovery tools may be used to extract stored credentials.

DeviceProcessEvents | where FileName == "cain.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

1. Monitor the Use of Remote Credential Guard Techniques Remote Credential Guard is designed to protect against credential theft over RDP sessions.

DeviceProcessEvents | where FileName == "mstsc.exe" and ProcessCommandLine has "RemoteCredentialGuard" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

1. Track Usage of Keyloggers for Credential Capture Keyloggers may be used to capture credentials as they are typed.

DeviceProcessEvents | where FileName in ("keylogger.exe", "capture.exe") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

1. Monitor Tools Like Responder for LLMNR/NBT-NS Poisoning Responder is used to capture credentials by poisoning LLMNR and NBT-NS requests.

DeviceProcessEvents | where FileName == "responder.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

1. Detect Enumeration of Windows Credential Guard Status Windows Credential Guard can be enumerated to determine if it is enabled.

DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "Get-WinEvent" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

1. Track Attempts to Exploit Credential Guard Vulnerabilities Exploitation attempts may target Credential Guard to steal credentials.

DeviceProcessEvents | where FileName == "exploit.exe" and ProcessCommandLine has "CredentialGuard" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine