OS Credential Dumping: Cached Domain Credentials
Other sub-techniques of OS Credential Dumping (8)
ID | Name |
---|---|
T1003.001 | LSASS Memory |
T1003.002 | Security Account Manager |
T1003.003 | NTDS |
T1003.004 | LSA Secrets |
T1003.005 | Cached Domain Credentials |
T1003.006 | DCSync |
T1003.007 | Proc Filesystem |
T1003.008 | /etc/passwd and /etc/shadow |
Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.[1]
On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.[2] The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires Password Cracking to recover the plaintext password.[3]
With SYSTEM access, the tools/utilities such as Mimikatz, Reg, and secretsdump.py can be used to extract the cached credentials.
Note: Cached credentials for Windows Vista are derived using PBKDF2.[2]
Procedure Examples
Name | Description |
---|---|
APT33 |
APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[4][5] |
Cachedump |
Cachedump can extract cached password hashes from cache entry information.[6] |
LaZagne |
LaZagne can perform credential dumping from MSCache to obtain account and password information.[7] |
Leafminer |
Leafminer used several tools for retrieving login and password information, including LaZagne.[8] |
MuddyWater |
MuddyWater has performed credential dumping with LaZagne.[9][10] |
OilRig |
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[11][12][13][14] |
Okrum |
Okrum was seen using modified Quarks PwDump to perform credential dumping.[15] |
Pupy |
Mitigations
Mitigation | Description |
---|---|
Active Directory Configuration |
Consider adding users to the "Protected Users" Active Directory security group. This can help limit the caching of users' plaintext credentials.[17] |
Operating System Configuration |
Consider limiting the number of cached credentials (HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\cachedlogonscountvalue)[18] |
Password Policies |
Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
Privileged Account Management |
Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. |
User Training |
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
Detection
Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,[19] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
Detection of compromised Valid Accounts in-use by adversaries may help as well.
References
- Microsfot. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020.
- Eli Collins. (2016, November 25). Windows' Domain Cached Credentials v2. Retrieved February 21, 2020.
- Mantvydas Baranauskas. (2019, November 16). Dumping and Cracking mscash - Cached Domain Credentials. Retrieved February 21, 2020.
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
- Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
- Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
- Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
- Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
- Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
- Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
- Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
- Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
- Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
- Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- Microsoft. (2016, October 12). Protected Users Security Group. Retrieved May 29, 2020.
- Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack, Mitigation, Defense. Retrieved February 21, 2020.
- PowerSploit. (n.d.). Retrieved December 4, 2014.