Some places to start to monitor (e.g. for unexpected processes interacting with one of the following), collector forensics and try to protect for OS Credential Dumping Mitre Att&ck T1003 are:
Place ----- ATT&CK Subtechnique ID
LSASS Memory -----T1003.001
Security Account Manager ----- T1003.002
NTDS ----- T1003.003
LSA Secrets ----- T1003.004
Cached Domain Credentials ----- T1003.005
DCSync ----- T1003.006
Proc Filesystem ----- T1003.007
/etc/passwd ----- T1003.008
/etc/shadow ----- T1003.008
Each attack technique is described with examples, as well as possible mitigations and detections.
No comments:
Post a Comment