Home  >  APT29  >  Results  >  F-Secure  >  Credential Dumping

Technique Results: Credential Dumping (T1003) Technique Page Information

The ATT&CK technique page displays all procedures used to test the technique, and their respective detections. The Procedure column contains a description of how the technique was tested . The Step column is where the procedure occurred in the operational flow. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by screenshots.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     All Results JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Procedures Criteria Step
Detection Type Detection Notes
Executed the CryptUnprotectedData API call to decrypt Chrome passwords
accesscheck.exe executing the CryptUnprotectedData API
6.A.2
None
No detection capability demonstrated for this procedure.
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
6.C.1
Technique (Alert)
A Technique alert detection (medium severity) for a possible LSASS memory dump was generated due powershell.exe opening handles to lsass.exe in a pattern that happens when a minidump of a process is generated. [1]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
14.B.4
Technique (Alert, Correlated)
A Technique alert detection (high severity) called "Mimikatz command line parameters" was generated due to m.exe executing with command-line arguments indicative of Mimikatz credential dumping. This detection was correlated to a parent alert for privilege escalation. [1]
Technique (Alert, Correlated)
A Technique alert detection (medium severity) called "Password Dumper Executed" was generated due to a known password hash dumper running. This detection was correlated to a parent alert for privilege escalation. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of Mimikatz execution. [1] [2]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
16.D.2
Technique (Alert, Correlated)
A Technique alert detection (high severity) for Credential Dumping was generated due to a known password dumper being executed. This event was correlated to a parent detection for privilege escalation. [1]
Technique (Alert, Correlated)
A Technique alert detection (high severity) for "Credential Dumping" was generated due to lsass memory dump. This detection was correlated to a parent detection for privilege escalation. [1]
Technique (Alert, Correlated)
A Technique alert detection (high severity) for "Credential Dumping" was generated due to Mimikatz command-line parameters being executed. This event was correlated to a parent detection for privilege escalation. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of Mimikatz dumping the KRBTGT hash. [1] [2]
Telemetry
Telemetry showed m.exe injecting a thread into lsass.exe. [1]