Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor attack framework discussion. Today, we're going to be looking at credential dumping,
00:09
so our objectives for this particular discussion are as follows we're going to describe for you. What credential dumping is. We're gonna look at some tools as well that could be used for that. We'll talk about some mitigation techniques and some detection techniques as well.
00:24
So within minor credential, dumping is pretty much as follows. It's pretty straightforward, so it's one of threat. Actor attains, account log in and password information. Typically, the form of hashes or clear text
00:38
is how that is going to look. So
00:40
third actor gets on the system, runs a tool, pulls a hash file that is essentially your credentials on that system. So some common tools associated with credential dumping You may recognize some of these, so we've got PW Dump
00:54
X, and that's an execute herbal here, and it's able to acquire hashes from remote hosts, and then it could be used to long into systems with the hash
01:03
so you can take the hash, you steal it, and then you execute this particular tool against the system,
01:11
and it will use that hash to attempt to long you in as a user. G set dump extracts, password hashes from sam slash a D or Longuet log on sessions Many cats I'm sure you've heard of before is used to view and save authentication credentials like core burrows tickets.
01:26
Now there are other attacks that this conduce another password, things that it can it can take from the system. That Cobra's tickets is something I've definitely seen this tool do before.
01:36
And then Secret Secrets dump that P Y Python based dumps hashes from the amount machine without executing any agent on the system, which could be beneficial if you're trying to be sneaky
01:49
Now. All in all, password dumping is a thing. We hear about it every day where tons of credentials were stolen and put on the dark Web for sale. So what are some things that we could do
02:00
to potentially reduce the threat actors ability to get these credentials and still in what we can disable or restrict in t l m. On systems,
02:08
we could ensure that local administrator accounts have complex and unique passwords that make it harder to steal and get access to weaken limit credential overlap across accounts and so limiting that reused passwords and ensuring that if the hashes stolen, like a local administrator account or something of that nature that it can't be
02:28
reused across the organization.
02:30
Now the detection techniques list Here we've got two sets for Windows and Linux based systems on Windows we can monitor for process interactions with L Sassy XY and we could Monitor for Network Protocols and other replication requests from I. P is not associated with known domain
02:46
controllers. So things that are trying to still the hashes from the
02:52
active directory systems
02:53
and then on Lennox. We can use the on it Damon Monitor monitoring tool or audit the which is by default in many Lennox distributions, and it can be used to watch for hostile processes. Opening this file in the Prak file system, a learning on P i. D. Process, name and arguments
03:13
of such programmes. It would
03:15
be used either for stealing credentials or that would be attempting to manipulate the system to still credentials. So let's do a quick check on learning true or false credential. Dumping is when a user changes their password after a compromise.
03:30
All right, well, if you need more time. Police pause the video, so credential dumping is not when a user changes their password after compromise, they're not dumping that credential for a new one. It's one of threat. Actors steals their credentials, and so this is a false statement.
03:45
Now,
03:46
in summary of today's discussion, we looked at credential dumping again. That's when a threat actor either steal passwords in plain text or in their hashed form. And we looked at several tools such as Mimi Cats that can be used for that. We talked about mitigation techniques, and we reviewed detection techniques as well
04:05
four credential dumping attempts.
04:09
So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor