Investigating Credential Dumping Activity

Posted on: Last updated on: Written by:

Investigating Credential Dumping Activity: A Realistic Threat Hunting Case Study

Why This Activity Stood Out

During a routine scan through the security logs, we stumbled upon some suspicious activity that caught our eye. The initial alert came from a Sysmon Event ID 10, which logged an unusual process access event on one of our Windows servers. Specifically, it flagged LSASS (Local Security Authority Subsystem Service) as being accessed in an odd way. LSASS is known to be a prime target for credential dumping attacks.

Initial Hunt Logic

Threat Actor Reference: Wizard Spider

Based on our threat intel feed, this activity could be attributed to the Wizard Spider group. They are notorious for their sophisticated tactics involving LSASS injection and accessing credential stores.

Potential IOC: Encoded PowerShell Command Execution

We also spotted a potential indicator of compromise (IOC) where encoded PowerShell commands were being executed. This is a common technique used by adversaries to hide malicious activities or bypass traditional defenses.

Reviewing Process Lineage

To get a clearer picture, we started by reviewing the process lineage leading up to and following the suspicious LSASS access event.

Sysmon Event ID 10

  • Timestamp: October 15, 2023, at 14:30 UTC
  • DeviceName: WIN-SERVER1
  • Image: C:\Windows\system32\lsass.exe
  • CommandLine: C:\Windows\System32\wscript.exe -enc Zm9vYmFzZGluZ3M=

EDR Telemetry

Our endpoint detection and response (EDR) solution gave us more context. It showed that the command was executed by a PowerShell script, which aligns with our initial suspicions.

Expanding the Investigation

Given these leads, we widened our scope to cover related events and potential indicators of compromise.

Reviewing Security Logs

We cross-referenced the Sysmon event with security logs from the same timeframe. This helped us identify any other unusual activities that might be part of a broader attack vector.

Process Access Events

Process access events captured by Sysmon suggested an attempt to dump credentials using LSASS. The specific use of wscript.exe is suspicious because it’s commonly abused in credential dumping scenarios.

Detection Opportunities

Sigma Detection Idea: Suspicious Encoded PowerShell

We developed a Sigma rule to detect such activities more proactively:

title: Suspicious Encoded PowerShell
logsource:
  category: process_creation
detection:
  selection:
    CommandLine|contains:
      - '-enc'
      - 'EncodedCommand'
condition: selection
level: high

KQL Hunting Reference

Using the KQL query, we identified potential malicious activities:

DeviceProcessEvents
| where ProcessCommandLine contains "-enc"
| project Timestamp, DeviceName, ProcessCommandLine

SPL Hunting Reference

For more detailed analysis using Splunk, the following query was employed:

index=sysmon EventCode=1 CommandLine="*-enc*"
| stats count by Computer, CommandLine

Analyst Notes

Initial Uncertainty

Initially, we weren’t sure if this activity was benign or malicious. The presence of wscript.exe alone wasn’t conclusive; it’s a legitimate process that can be abused.

Investigative Pivots

To resolve the uncertainty, we pivoted to look at additional telemetry and logs, such as network traffic and system events. We also reviewed EDR telemetry for any other suspicious activities involving LSASS or credential stores.

Operational Challenges

Telemetry Gaps

One of the biggest challenges was identifying gaps in our current telemetry coverage. For instance, some security logs lacked timestamps or event details, making it harder to correlate events effectively.

False Positive Scenarios

We also encountered false positives from EDR tools when legitimate processes were flagged as suspicious due to their association with known malicious pay-loads. This required careful validation and context analysis before raising an alarm.

MITRE ATT&CK Mapping

Tactic Technique
Credential Access T1003 – Credential Dumping

The activity we observed aligns with T1003, which involves adversaries attempting to access LSASS memory or credential stores. The use of wscript.exe and encoded PowerShell commands is consistent with this technique.

Telemetry Improvement Ideas

To improve our detection capabilities, we recommended the following:

Enhanced Sysmon Configuration

  • Process Creation Events: Enable detailed event logs for process creation.
  • Kernel Events: Include kernel events to capture more low-level activity.

EDR Integration

  • Real-time Monitoring: Ensure real-time monitoring of critical processes and executables.
  • Event Correlation: Implement better correlation rules across different security tools.

Practical Detection Recommendations

  1. Sigma Rules: Develop additional Sigma rules for detecting credential dumping activities.
  2. KQL and SPL Queries: Regularly update KQL and SPL queries to include new indicators and improve accuracy.
  3. Endpoint Monitoring: Strengthen EDR monitoring by integrating with other SIEM tools for better visibility.

Hashtags Relevant to the Hunt Topic

ThreatHunting #WizardSpider #CredDUMPing #Sysmon #EDR #MITREATT&CK #SPL #KQL #DetectionEngineering

This investigation highlights a practical approach to detecting and responding to credential dumping activities. By leveraging detailed telemetry, process lineage analysis, and continuous improvement of detection mechanisms, we can better protect our infrastructure from advanced threats like Wizard Spider.

#ThreatHunting #CyberSecurity #BlueTeam #SOC #DetectionEngineering #MITREATTACK #CredentialAccess #Windows #CredentialDumping