RP2003: Dumping mscash
Summary
ID | RP2003 |
---|---|
Brief Description | Response playbook for detected dumping MScash activity. |
Author | @Cyberok |
Creation Date | 2023/02/03 |
Modification Date | 2023/04/23 |
Tags |
|
Usecases |
Description
Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.
These stored credentials do not expire, but they cannot be used for pass-the-hash attacks, so attackers must crack the password hash to recover the plaintext passwords
Workflow
For better triage and response actions result you need to identify and analyze artifacts from use case.
-
Identify detected IOCs (programms, tools, commands) used in credential dumping, it helps to find specific artifacts. List created/modified/downloaded file and search processes executed with "specific" flags. For example:
- processes started with processes args:(ShadowHashData or "-dump")
- processes accessed hklm\sam hklm\system hklm\security registry hives
- processes with well-known flags (privilege::debug, token::elevate, lsadump::cache)
-
As said this hash cannot be used in PTH attack, so more likely file with credentials should be created and dropped to attackers machine for further cracking. List created/modified/downloaded file to identify source of attack (ip, host, etc...).
- Take any containment action depending on the situation and level of asset's criticality. For example if privilege escalation suspected to be succesfull, initiate procedure to block compromised users or use block process action in automatic scenarios:
- Block process by executable content pattern
- Lock user account
- Take any eradication action depending on the situation and level of asset's criticality. For example credential can be used as arguments to malicous commands:
- Revoke authentication credentials
- Take recovery action depending on previous containment and eradication actions:
- Unblock blocked user (if needed)
- Change user's credential
- Report incident, remove security breaches, conduct lessons learned exercises.
Response discovery mapping
ARTIFACT | RESPONSE ACTION | RESPONSE ACTION OBSERVABLES |
---|---|---|
Windows Registry | List registry key accessed Look for reg save commands |
Credential dump attempt |
Process | Find process by executable content pattern Search possible tool's artifacts to define fact of credential dump |
Identified credential dump tool |
Encrypted Credential | Examine content Define which user credentials were dumped, it depends on how much users credential were cached at the compomised host. |
List potentially compromised users |
Password | Revoke authentication credentials Reset password Depends on needed context. |
Compomised/New password |
P.S. Artifacts from "Attack Prerequisites" section ( in this case : Host and File ) should be used in Operational Preparations and as incoming arguments for other response actions, for example
Response mindmap diagram
Playbook Actions
Preparation
Identification
List Files Created
List Files Modified
List Files Downloaded
List Processes Executed
Find Process By Executable Content Pattern
List Registry Keys Accessed
Identify compromised data
Identify means of attack
Containment
Block Process By Executable Content Pattern
Lock User Account
Powershell disable AD user
Eradication
Reset Authentication Credentials
Revoke Authentication Credentials
Recovery
Unlock Locked User Account
Powershell enable AD user
Lessons Learned
Develop Incident Report
Conduct Lessons Learned Exercise