Detecting Suspicious Credential Dumping

Posted on: Last updated on: Written by:

Detecting Suspicious Credential Dumping: A Realistic Threat Hunting Investigation

Observations that Caught Our Eye

On a routine scan of the Security Information and Event Management (SIEM) dashboard, something caught my eye. Specifically, an Event ID 10 from Sysmon highlighted potential credential dumping around 3 PM on a typical weekday. While this time wasn’t out of the ordinary for regular user activity, there was enough to pique our interest.

Initial Hypothesis and Process Lineage

Our initial hunch was that attackers might be accessing Local Security Authority Subsystem Service (LSASS) memory or credential stores to steal account credentials, aligning with MITRE ATT&CK Technique T1003. This technique involves adversaries accessing LSASS memory to gather sensitive information like usernames and passwords.

To dig deeper, I first checked the DeviceProcessEvents for any unusual activity involving processes that could be related to credential dumping:

DeviceProcessEvents 
| where FileName =~ "rundll32.exe"
| project Timestamp, DeviceName, InitiatingProcessCommandLine

This query flagged a suspicious command line argument containing -enc, which is often used in PowerShell scripts for obfuscation. The process initiating from an unusual user session also added to the suspicion.

Expanding the Scope

We decided to expand our investigation by collecting more detailed telemetry and reviewing the process lineage using EDR (Endpoint Detection and Response) tools:

index=sysmon EventCode=1 CommandLine="*-enc*"
| stats count by Computer, CommandLine

This query helped us identify other instances of PowerShell commands with -enc across our network. A few more suspicious commands turned up, but nothing as alarming as the initial event.

Mapping to MITRE ATT&CK

Mapping this activity to MITRE ATT&CK, we aligned it with T1003: Credential Access:

  • Technique: T1003
    • Subtechniques: T1003.004 (Access LSASS), T1003.006 (Retrieve Credentials from Environment Variables)
  • Tactics:
    • Credential Access

Developing Detection Rules

Sigma Rule for Suspicious Encoded PowerShell

We developed a Sigma detection rule to identify suspicious usage of encoded PowerShell commands:

title: Suspicious Encoded PowerShell
logsource:
  category: process_creation

detection:
  selection:
    CommandLine|contains:
      - '-enc'
      - 'EncodedCommand'

condition: selection

level: high

This helped us quickly spot any instances where PowerShell was being used in an obfuscated manner, a common tactic for evading detection.

KQL Hunting Reference

For tracking down the exact commands and context of suspicious rundll32.exe processes:

DeviceProcessEvents
| where FileName =~ "rundll30.exe"
| project Timestamp, DeviceName, InitiatingProcessCommandLine

This query provided us with a detailed view of the suspect activity.

Analyst Notes

Process Lineage Analysis

Upon closer inspection, we found that the initial rundll32.exe process was initiated by a PowerShell script. The command line argument -enc was used in conjunction with an encoded command:

rundll30.exe cmd /c power-shell -enc [base64_encoded_command]

Why It Looks Suspicious

The use of obfuscation techniques like base64 encoding in PowerShell scripts is a hallmark of malicious intent. The presence of such commands, especially from rundll30.exe, raised red flags.

Considering False Positives

While legitimate administrative tasks might also use encoded PowerShell scripts, the context and timing of this activity were too suspicious to ignore.

Telemetry Challenges

EDR and Sysmon Limitations

Sysmon events provided valuable insights into process creation and command line arguments, but had limitations:

  • EDR Coverage: Not all endpoints have EDR agents installed or are configured properly.
  • Event Latency: Delays in detecting and reporting suspicious activities due to the time it takes for EDR agents to send data.

Operational Observations

During our investigation, we noticed that some of the suspicious activity was occurring on virtual machines (VMs) within a cloud environment. This posed challenges in terms of monitoring and responding quickly.

Practical Hunting Methodology

To improve detection capabilities, we employed several practical hunting methodologies:

  • Continuous Monitoring: Regularly review logs and alerts.
  • Automated Hunting Scripts: Use tools like Sigma and KQL for quick identification.
  • Process Anomaly Detection: Implement machine learning models to detect anomalous behavior.

Operational Challenges

Resource Constraints

Our SOC team operates with limited resources, so we prioritize high-risk environments and endpoints. Strategic allocation is crucial.

Human Error

During the investigation, there were instances of human error, such as misinterpreting logs or missing context clues. Regular training and cross-referencing data points helped mitigate these issues.

Telemetry Gaps

Lack of Context

Sometimes, we lacked key contextual information like user identities and application usage. Enhancing telemetry collection to include more detailed metadata would be beneficial.

Integration Challenges

Integrating various tools and data sources can be complex. Ensuring seamless integration is essential for effective threat hunting.

Interesting Findings

Our investigation revealed that the suspicious activity was part of a larger campaign by the known APT group FIN7. The attackers were using custom mal-ware to establish persistence and gather credentials. This insight helped us refine our detection rules and improve incident response strategy.

Detection Recommendations

Enhanced Logging

Implement enhanced logging for critical processes, including PowerShell execution and network activity.

Real-Time Monitoring

Deploy real-time monitoring tools that can quickly alert on suspicious activities.

Machine Learning Models

Utilize machine learning models to detect anomalies in process behavior, such as unusual command line arguments or unexpected network connections.

Telemetry Improvement Ideas

Additional Contextual Data

Collect additional contextual data like user identities, application usage, and endpoint security posture.

Enhanced EDR Coverage

Ensure that all critical endpoints have robust EDR solutions installed and configured properly.

Comprehensive Logging Policies

Establish comprehensive logging policies for both on-premises and cloud environments to capture detailed telemetry.

Relevant Hashtags

ThreatHunting #CredDumpDetection #SysmonMonitoring #EDRTelemetry #MITREATTCKT1003 #FIN7APT #SecurityOps #EndpointSecurity #ProcessAnomalyDetection

This investigation provided valuable insights into detecting and responding to credential dumping attacks. By continuously refining our detection methods and improving telemetry collection, we can better protect against advanced threats.

#ThreatHunting #CyberSecurity #BlueTeam #SOC #DetectionEngineering #MITREATTACK #CredentialAccess #Windows #CredentialDumping