Analyze Evidence of Credential Dumping Techniques

AnalysisP190 min
🔑 Credential Theft🔒 Ransomware👤 Insider Threat
IR AnalystSwitch roles in the top navigation to see different perspectives.

Analyze evidence of credential dumping including LSASS access, SAM database extraction, DCSync attacks, Kerberoasting, and AS-REP roasting. Determine the scope of credential compromise.

Actions

  1. 1.Check for LSASS memory access: look for processes reading lsass.exe memory via Event ID 4663, Sysmon Event ID 10 (ProcessAccess with TargetImage containing lsass.exe), and EDR alerts for credential access.
  2. 2.Check for SAM/SYSTEM/SECURITY hive copies: `reg save HKLM\SAM`, `reg save HKLM\SYSTEM`, or shadow copy access to these files.
  3. 3.Detect DCSync attacks: look for Directory Service Access events (Event ID 4662) with replication rights GUIDs from non-DC sources.
  4. 4.Identify Kerberoasting: Event ID 4769 with ticket encryption type 0x17 (RC4-HMAC) for service accounts, especially from non-standard sources.
  5. 5.Check for AS-REP roasting: Event ID 4768 without pre-authentication for accounts with "Do not require Kerberos preauthentication" set.

Queries

DeviceProcessEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where FileName in~ ("mimikatz.exe","procdump.exe","procdump64.exe","sqldumper.exe","rundll32.exe","comsvcs.dll") or ProcessCommandLine has_any ("sekurlsa","lsadump","kerberos::list","privilege::debug","comsvcs","MiniDump") | project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
SecurityEvent | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where EventID == 4662 | where Properties has "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" or Properties has "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" | where SubjectUserName != "MACHINE_ACCOUNT$" | project TimeGenerated, SubjectUserName, ObjectName, Properties // DCSync detection
SecurityEvent | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where EventID == 4769 | where TicketEncryptionType == "0x17" | where ServiceName !endswith "$" | project TimeGenerated, TargetUserName, ServiceName, IpAddress, TicketEncryptionType // Kerberoasting detection

Notes

  • If credential dumping is confirmed, assume ALL credentials on the compromised systems are compromised. This includes domain cached credentials, service account passwords, and any passwords stored in memory.
  • The scope of credential compromise directly determines the scope of the credential reset during eradication.