Home  >  APT29  >  Results  >  Elastic  >  Credential Access

Tactic Results: Credential Access (TA0006) Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     All Results JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Technique
Procedures Criteria Step
Detection Type Detection Notes
Credentials in Files
(T1081)
Read the Chrome SQL database file to extract encrypted credentials
accesscheck.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
6.A.1
Technique (Correlated, Configuration Change (Detections))
A Technique detection for "ATT&CK 1081 Credentials in Files" was generated for accesschk.exe reading the Chrome database file for credentials . The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Configuration Change (Detections), Correlated)
Telemetry showed accesschk.exe reading the Chrome database file for credentials. The event was correlated to a parent General detection for malicious file execution. [1]
Private Keys
(T1145)
Exported a local certificate to a PFX file using PowerShell
powershell.exe creating a certificate file exported from the system
6.B.1
Technique (Correlated, Alert)
A Technique alert detection for "ATT&CK T1145 Private Keys" was generated for powershell.exe creating the $RandomFileName.pfx file. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe creating the $RandomFileName.pfx file. The event was correlated to a parent General detection for malicious file execution. [1]
Credential Dumping
(T1003)
Executed the CryptUnprotectedData API call to decrypt Chrome passwords
accesscheck.exe executing the CryptUnprotectedData API
6.A.2
None
No detection capability demonstrated for this procedure.
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
6.C.1
Technique (Correlated, Alert)
A Technique alert detection (high severity) for "Credential Dumping" was generated for lsass.exe memory access. The event was correlated to a parent General detection for malicious file execution. [1] [2]
Technique (Configuration Change (Detections), Alert)
A Technique alert detection (low severity) for "Credential Access: SAM Registry Reads" was generated for lsass.exe reading the SAM database through the registry. [1]
Telemetry (Configuration Change (Detections))
Telemetry showed lsass.exe accessing the NtOpenKey API. The event was correlated to a parent General detection for malicious file execution. [1]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
14.B.4
Technique (Alert, Correlated)
A Technique alert detection (high severity) for "Credential Dumping" was generated for the execution of m.exe executing with command-line arguments indicative of Mimikatz credential dumping. The detection was correlated to a parent alert for a suspicious Windows script. [1] [2]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
16.D.2
Technique (Correlated, Alert)
A Technique alert detection for "Process Injection" was generated for the injection into lsass.exe. The detection was correlated to a parent alert for the "First Seen Process in an Environment". [1] [2]
Technique (Correlated, Alert)
A Technique alert detection (high severity) for "Credential Dumping" was generated for m.exe with command-line arguments indicative of Mimikatz credential dumping. The detection was correlated to a parent alert for the "First Seen Process in an Environment". [1]