DISRUPTING THE ATTACK CHAIN THROUGH DETECTING CREDENTIAL DUMPING

Credential dumping is a crucial process in the attack chain. Attackers targeting an organization seek various credential dumping techniques that may infringe an organization with a weak security protocol. Nonetheless, a secure system can aptly cope with an attack by disrupting the attack chain though detecting credential dumping.Norton.com/setup has an in-depth defense portfolio that blocks credential dumping and detects associated attack events.
 

Various steps are needed in executing a successful attack with the initial breach being just a single step in the attack chain. After compromising the security of the organization, would be attackers to engage lateral movement by attempting to tiptoe through the network. They identify and isolate data and systems that they are targeting in this phase. This is the main phase where credential dumping may be pivotal.
 

Credential dumping is used during this phase to obtain account security information such as passwords and logins. Once they access this information, they can then access restricted data or explore further within the organization. Various credential dumping techniques are used that require administrator privileges first. This must be done before any credential dumping attempts and is known as privilege escalation.

Detecting lateral movement and subsequent blocking is a vital step in any company’s defense strategy. Www.norton.com/setup portfolio provides security across all control points in this step. We have solutions that prevent credential dumping and prevent precursor events like privilege escalation, theft delivery, and post-theft credential use.

Methods of detecting credential dumping

Credential dumping has been listed in the MITRE ATTACK & CK Framework as T1003 because it has been a step in the lateral post-breach movement for long. A challenge with protecting against forms of credential dumping is the fact that attackers disguise their techniques as being a legitimate activity. They masquerade their methods as a legal activity to achieve dumping by leveraging standard administrative tools. Creative tools such as Hacktool.Mimikatz is also online that easily dump credential with a variety of methods.

Credential dumping attempts can be revealed by a number of ways using norton.com/setup available solutions. Below, we will discuss how www.norton.com/setup endpoint detection ad response makes attempts at credential theft visible and known. This is done by identifying the vast range of available credential dumping techniques. These techniques are highlighted first and include: 

• Potential access to the area of a registry by breaching the security accounts manager protocol
• Key logging
• Using network traffic to sniff protected credentials • Attacking the system so as to read protected storage
• Accessing the memory of applications used by the owner where user credentials may have been stored. This includes internet browsers and mail clients
• Targeting windows credentials manager to access stored credentials
• Abusing and deceiving Kerberos Ticket Granting operations and services so that they can harvest ticket hashes which are then used for offline hacking of logins and passwords
• Penetrating windows local security authority through the subsystem service
• Reading the memory of local security authority of a windows subsystem service

Notwithstanding the tool used to attack credentials, www.norton.com/setupreports the activity upon suspicion of a credential theft attempt. More so, it makes a report of what exactly was attempted and found after observation. The attacker's goal is known as a MITRE ATT & CK tactic along with how they tried to achieve the goal (technique) are all revealed.

Norton.com/setup detection and response will by itself employ related activity to detecting the credential dumping exercise with the aim of providing more information and context around the breach. The technique employed leverages targeted attack analytics technology that combines the skills of world-renowned security experts with machine learning and artificial intelligence to come up with virtual analysts for maximum security.

Local events from the organization’s environment are correlated with rich information from the massive security telemetry data store to access the full picture of how the attacker moves within the organization. Targeted attack analytics (TAA) automates the credential dumping detection process that would have cost an analyst valuable time in trying to detect such attempts. Some of the events that TAA correlates to credential dumping are listed below.

• Questionable deployment of some executable files across an enterprise through removable media or network shares such as password harvesting tools and remote access tools.
• Remote execution through the suspicious activity of multi-purpose tools to include Powershell, windows management instrumentation clients and PSExec in an enterprise
• Malicious activity with Windows administrative shares
• Taking advantage of remote services around the customer network
• Subverting logon scripts on endpoints to establish persistence

Credential dumping may give attackers access to information that may potentially harm the organization. An important step in preventing this is blocking this process using the various techniques which are protocols available at www.norton.com/setup. These include:

• Behavior analysis – The system performs full real-time analysis of the process that is currently running to detect suspicious activities
• Reputation – Correlating information and data from a program collected across telemetry among millions of customers
• Emulation – Various processes and their activities are put through pre-execution evaluation

Heuristics – This is a vital part of blocking known credential dumping techniques. The system looks for previously detected malicious attributes of any program that are known to be associated with credential dumping

• Machine learning – Here, techniques mimicking the human brain are used to detect malicious activities and processes.

Alerts are given in the following forms.

• SONAR.DumpSAM!gen2
• SONAR.PWDumpX!gen1
• SONAR.SuspInject!gen3
• Pwdump
• Hacktool.PasswdDumper
• SONAR.Mimikatz!gen3
• SONAR.Mimikatz!gen8
• SONAR.Mimikatz!gen9
• SONAR.Mimikatz!gen12
• SONAR.Mimikatz!gen13
• Hacktool.Mimikatz
• Hacktool.Credix
• SONAR.Powershell

Www.norton.com/setup protection and the detection and response protocol are only two offerings from norton.com/setup portfolio that will help deal with credential dumping. This is done by identifying and blocking credential theft along various parts and points in the chain of attack. As noted earlier, credential dumping involves various processes thus the defense mechanism approached needs to target all the processes that can successfully lead to theft of credentials.

Research teams continue to meticulously identify upcoming trends in credential dumping methods that are used by attackers in their attacks and cyber crime activity. The attacks are evolving but so are the defense strategies that are being employed by organizations. You are sure to find these defense protocols at www.norton.com/setup.

Original