A technique by which the adversary may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password.
Example:
cmd /c copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\NTDS\ntds.dit C:\Windows\Temp > C:\Windows\Temp<filename>.tmp
Related
Volt Typhoon activity
https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/%5C
https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection
https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on%5C
https://docs.microsoft.com/sysinternals/downloads/procdump
{{ mitre("T1003.003")}}
Data Source(s): Process, Command
let c1 = dynamic(["Invoke-NinjaCopy","Secretsdump.py","DSInternals"]);
find where InitiatingProcessCommandLine has_any (c1) or ProcessCommandLine has_any (c1) or CommandLine has_any (c1)
- Inspect which account and at what time the activity was performed
- Question the user if the activity was expected and approved
Version 1.0 (date: 10/07/2023)