Skip to content

RP2003: Dumping mscash

Summary

ID RP2003
Brief Description Response playbook for detected dumping MScash activity.
Author @Cyberok
Creation Date 2023/02/03
Modification Date 2023/04/23
Tags
  • Status: Stable
  • Severity:High
  • Tlp: Amber
  • Pap: White
  • Windows
Usecases

Description

Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.

These stored credentials do not expire, but they cannot be used for pass-the-hash attacks, so attackers must crack the password hash to recover the plaintext passwords

Workflow

WORKFLOW

For better triage and response actions result you need to identify and analyze artifacts from use case.

  1. Identify detected IOCs (programms, tools, commands) used in credential dumping, it helps to find specific artifacts. List created/modified/downloaded file and search processes executed with "specific" flags. For example:

    • processes started with processes args:(ShadowHashData or "-dump")
    • processes accessed hklm\sam hklm\system hklm\security registry hives
    • processes with well-known flags (privilege::debug, token::elevate, lsadump::cache)
  2. As said this hash cannot be used in PTH attack, so more likely file with credentials should be created and dropped to attackers machine for further cracking. List created/modified/downloaded file to identify source of attack (ip, host, etc...).

  3. Take any containment action depending on the situation and level of asset's criticality. For example if privilege escalation suspected to be succesfull, initiate procedure to block compromised users or use block process action in automatic scenarios:
    • Block process by executable content pattern
    • Lock user account
  4. Take any eradication action depending on the situation and level of asset's criticality. For example credential can be used as arguments to malicous commands:
    • Revoke authentication credentials
  5. Take recovery action depending on previous containment and eradication actions:
    • Unblock blocked user (if needed)
    • Change user's credential
  6. Report incident, remove security breaches, conduct lessons learned exercises.

Response discovery mapping

ARTIFACT RESPONSE ACTION RESPONSE ACTION OBSERVABLES
Windows Registry List registry key accessed
Look for reg save commands
Credential dump attempt
Process Find process by executable content pattern
Search possible tool's artifacts to define fact of credential dump
Identified credential dump tool
Encrypted Credential Examine content
Define which user credentials were dumped, it depends on how much users credential were cached at the compomised host.
List potentially compromised users
Password Revoke authentication credentials
Reset password
Depends on needed context.
Compomised/New password

P.S. Artifacts from "Attack Prerequisites" section ( in this case : Host and File ) should be used in Operational Preparations and as incoming arguments for other response actions, for example

response action: list processes executed
List_processes_executed (enabled=True, host)

Response mindmap diagram

Mindmap

Playbook Actions

Preparation

Operational Preparations

Identification

List Files Created
List Files Modified
List Files Downloaded
List Processes Executed
Find Process By Executable Content Pattern
List Registry Keys Accessed
Identify compromised data
Identify means of attack

Containment

Block Process By Executable Content Pattern
Lock User Account
Powershell disable AD user

Eradication

Reset Authentication Credentials
Revoke Authentication Credentials

Recovery

Unlock Locked User Account
Powershell enable AD user

Lessons Learned

Develop Incident Report
Conduct Lessons Learned Exercise


Artifacts