Credential Dumping

Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.

Several of the tools mentioned in this technique may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

Windows

SAM (Security Accounts Manager)

The SAM is a database file that contains local accounts for the host, typically those found with the ‘net user’ command. To enumerate the SAM database, system level access is required. A number of tools can be used to retrieve the SAM file through in-memory techniques:

Alternatively, the SAM can be extracted from the Registry with Reg:

  • reg save HKLM\sam sam
  • reg save HKLM\system system

Creddump7 can then be used to process the SAM database locally to retrieve hashes. [1]

Notes:Rid 500 account is the local, in-built administrator.Rid 501 is the guest account.User accounts start with a RID of 1,000+.

Cached Credentials

The DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable. The number of default cached credentials varies, and this number can be altered per system. This hash does not allow pass-the-hash style attacks. A number of tools can be used to retrieve the SAM file through in-memory techniques.

Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.

Notes:Cached credentials for Windows Vista are derived using PBKDF2.

Local Security Authority (LSA) Secrets

With SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account credentials. The Registry is used to store the LSA secrets. When services are run under the context of local or domain users, their passwords are stored in the Registry. If auto-logon is enabled, this information will be stored in the Registry as well. A number of tools can be used to retrieve the SAM file through in-memory techniques.

Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.

Notes:The passwords extracted by his mechanism are UTF-16 encoded, which means that they are returned in plaintext.Windows 10 adds protections for LSA Secrets described in Mitigation.

NTDS from Domain Controller

Active Directory stores information about members of the domain including devices and users to verify credentials and define access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\NTDS\Ntds.dit of a domain controller. [2]

The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.

  • Volume Shadow Copy
  • secretsdump.py
  • Using the in-built Windows tool, ntdsutil.exe
  • Invoke-NinjaCopy

Group Policy Preference (GPP) Files

Group Policy Preferences (GPP) are tools that allowed administrators to create domain policies with embedded credentials. These policies, amongst other things, allow administrators to set local accounts.

These group policies are stored in SYSVOL on a domain controller, this means that any domain user can view the SYSVOL share and decrypt the password (the AES private key was leaked on-line. [3] [4]

The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:

  • Metasploit’s post exploitation module: "post/windows/gather/credentials/gpp"
  • Get-GPPPassword [5]
  • gpprefdecrypt.py

Notes:On the SYSVOL share, the following can be used to enumerate potential XML files.dir /s * .xml

Service Principal Names (SPNs)

See Kerberoasting.

Plaintext Credentials

After a user logs on to a system, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. These credentials can be harvested by a administrative user or SYSTEM.

SSPI (Security Support Provider Interface) functions as a common interface to several Security Support Providers (SSPs): A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to applications.

The following SSPs can be used to access credentials:

Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges. [6]Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.CredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services. [7] The following tools can be used to enumerate credentials:

As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.

For example, on the target host use procdump:

  • procdump -ma lsass.exe lsass_dump

Locally, mimikatz can be run:

  • sekurlsa::Minidump lsassdump.dmp
  • sekurlsa::logonPasswords

DCSync

DCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's application programming interface (API) [8] [9] [10] [11] to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data [12] from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket [13] or change an account's password as noted in Account Manipulation. [14] DCSync functionality has been included in the "lsadump" module in Mimikatz. [15] Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. [16]

Linux

Proc filesystem

The /proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively. This functionality has been implemented in the MimiPenguin, an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.

ID: T1003

Tactic: Credential Access

Platform:  Windows, Linux, macOS

Permissions Required:  Administrator, SYSTEM, root

Data Sources:  API monitoring, Process monitoring, PowerShell logs, Process command-line parameters

CAPEC ID:  CAPEC-567

Contributors:  Vincent Le Toux; Ed Williams, Trustwave, SpiderLabs
Version: 1.0

Mitigations

Mitigation Description
Active Directory Configuration Manage the access control list for "Replicating Directory Changes" and other permissions associated with domain controller replication.[108][109]
Credential Access Protection With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. It also does not protect against all forms of credential dumping.[110][111]
Operating System Configuration Consider disabling or restricting NTLM.[112]
Password Policies Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
Privileged Account Management >WindowsDo not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.###LinuxScraping the passwords from memory requires root privileges. Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive regions of memory.[113]<
Privileged Process Integrity On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.[114]
User Training Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

Examples

Name Description
APT1

APT1 has been known to use credential dumping.[17]

APT28

APT28 regularly deploys both publicly available and custom password retrieval tools on victims.[18][19]

APT3

APT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument "dig." The group has also used a tools to dump passwords from browsers.[20]

APT32

APT32 used Mimikatz, GetPassword_x64, and customized versions of Windows Credential Dumper, HookChangePassword, and Outlook Credential Dumper to harvest credentials.[21][22]

APT33

APT33 has used a variety of publicly available tools like LaZagne, Mimikatz, Gpppassword, SniffPass, and ProcDump to dump credentials.[23][24]

APT37

APT37 has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in browsers.[25]

APT39

APT39 has used Mimikatz, Ncrack, Windows Credential Editor and ProcDump to dump credentials.[26]

Astaroth

Astaroth uses an external software known as NetPass to recover passwords.[27]

Axiom

Axiom has been known to dump credentials.[28]

Backdoor.Oldrea

Some Backdoor.Oldrea samples contain a publicly available Web browser password recovery tool.[29]

BRONZE BUTLER

BRONZE BUTLER has used various tools to perform credential dumping.[30]

Cachedump

Cachedump can extract cached password hashes from a system’s registry.[17]

Carbanak

Carbanak obtains Windows logon password details.[31]

ChChes

ChChes steals credentials stored inside Internet Explorer.[32]

Cleaver

Cleaver has been known to dump credentials.[33]

Cobalt Strike

Cobalt Strike can recover hashed passwords.[34]

CosmicDuke

CosmicDuke collects user credentials, including passwords, for various programs and browsers, including popular instant messaging applications, Web browsers, and email clients. Windows account hashes, domain accounts, and LSA secrets are also collected, as are WLAN keys.[35]

CozyCar

Password stealer and NTLM stealer modules in CozyCar harvest stored credentials from the victim, including credentials used as part of Windows NTLM user authentication. CozyCar has also executed Mimikatz for further victim penetration.[36]

Crimson

Crimson contains a module to steal credentials from Web browsers on the victim machine.[37]

Daserf

Daserf leverages Mimikatz and Windows Credential Editor to steal credentials.[38]

Dragonfly 2.0

Dragonfly 2.0 dropped and executed SecretsDump and CrackMapExec, tools that can dump password hashes.[39][40][41]

Emotet

Emotet has been observed dropping browser and password grabber modules including Mimikatz.[42]

Empire

Empire contains an implementation of Mimikatz to gather credentials from memory.[43]

Fgdump

Fgdump can dump Windows password hashes.[17]

FIN5

FIN5 has dumped credentials from victims. Specifically, the group has used the tool GET5 Penetrator to look for remote login and hard-coded credentials.[44][45]

FIN6

FIN6 has used Windows Credential Editor for credential dumping, as well as Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.

[46][47]

FIN8

FIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).[48]

GreyEnergy

GreyEnergy has a module for Mimikatz to collect Windows credentials from the victim’s machine.[49]

gsecdump

gsecdump can dump Windows password hashes and LSA secrets.[50]

H1N1

H1N1 dumps usernames and passwords from Firefox, Internet Explorer, and Outlook.[51]

HOMEFRY

HOMEFRY can perform credential dumping.[52]

HOPLIGHT

HOPLIGHT has the capability to harvest credentials and passwords. [53]

Impacket

SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.[54]

Ke3chang

Ke3chang has dumped credentials, including by using Mimikatz.[55][56]

Koadic

Koadic can gather hashed passwords by dumping SAM/SECURITY hive and gathers domain controller hashes from NTDS.[57]

KONNI

KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.[58]

LaZagne

LaZagne can perform credential dumping to obtain account and password information.[59]

Lazarus Group

Lazarus Group leveraged Mimikatz to extract Windows Credentials of currently logged-in users and steals passwords stored in browsers.[60]

Leafminer

Leafminer used several tools for retrieving login and password information.[61]

Leviathan

Leviathan has used publicly available tools to dump password hashes.[62]

Lslsass

Lslsass can dump active logon session password hashes from the lsass process.[17]

Magic Hound

Magic Hound stole domain credentials from Microsoft Active Directory Domain Controller and leveraged Mimikatz.[63]

Matroyshka

Matroyshka is capable of stealing Outlook passwords.[64][65]

menuPass

menuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.[32][66]

Mimikatz

Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the LSA, SAM table, credential vault, DCSync/NetSync, and DPAPI.[67][15][68][69]

MimiPenguin

MimiPenguin can dump process memory and extract clear-text credentials.[70]

Mivast

Mivast has the capability to gather NTLM password information.[71]

Molerats

Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.[72]

MuddyWater

MuddyWater has performed credential dumping with Mimikatz, LaZagne, and other tools, including by dumping passwords saved in victim web browsers and email.[73][74]

Net Crawler

Net Crawler uses credential dumpers such as Mimikatz and Windows Credential Editor to extract cached credentials from Windows systems.[33]

Night Dragon

Night Dragon has dumped account hashes with Carbanak and cracked them with Cain & Abel.[75]

NotPetya

NotPetya contains a modified version of Mimikatz to help gather credentials that are later used for lateral movement.[76][77][69]

OilRig

OilRig has used credential dumping tools such as Mimikatz and LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[78][79][63]

OLDBAIT

OLDBAIT collects credentials from Internet Explorer, Mozilla Firefox, Eudora, and several email clients.[80]

Olympic Destroyer

Olympic Destroyer contains a module that tries to obtain credentials from LSASS, similar to Mimikatz. These credentials are used with PsExec and Windows Management Instrumentation to help the malware propagate itself across a network.[81]

OnionDuke

OnionDuke steals credentials from its victims.[35]

Patchwork

Patchwork dumped the login data database from \AppData\Local\Google\Chrome\User Data\Default\Login Data.[82]

PinchDuke

PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with The Bat!, Yahoo!, Mail.ru, Passport.Net, Google Talk, Netscape Navigator, Mozilla Firefox, Mozilla Thunderbird, Internet Explorer, Microsoft Outlook, WinInet Credential Cache, and Lightweight Directory Access Protocol (LDAP).[35]

PLATINUM

PLATINUM has used keyloggers that are also capable of dumping credentials.[83]

Poseidon Group

Poseidon Group conducts credential dumping on victims, with a focus on obtaining credentials belonging to domain and database servers.[84]

PoshC2

PoshC2 contains an implementation of Mimikatz to gather credentials from memory.[85]

PowerSploit

PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Group Policy Preferences, Windows vault credential objects, or using Mimikatz.[86][87]

POWERTON

POWERTON has the ability to dump password hashes.[24]

Prikormka

A module in Prikormka collects passwords stored in applications installed on the victim.[88]

Pupy

Pupy executes Mimikatz using PowerShell and can also perform pass-the-ticket and use Lazagne for harvesting credentials.[89]

pwdump

pwdump can be used to dump credentials.[90]

QuasarRAT

QuasarRAT can obtain passwords from common browsers and FTP clients.[91][92]

RedLeaves

RedLeaves can gather browser usernames and passwords.[93]

Remsec

Remsec can dump the SAM database.[94]

Revenge RAT

Revenge RAT has a plugin for credential harvesting.[95]

ROKRAT

ROKRAT steals credentials stored in Web browsers by querying the sqlite database and leveraging the Windows Vault mechanism.[96]

Soft Cell

Soft Cell used a modified version of Mimikatz along with a PowerShell-based Mimikatz to dump credentials on the victim machines.[97]

Sowbug

Sowbug has used credential dumping tools.[98]

Stealth Falcon

Stealth Falcon malware gathers passwords from multiple sources, including Windows Credential Vault, Internet Explorer, Firefox, Chrome, and Outlook.[99]

Stolen Pencil

Stolen Pencil gathers credentials using Moafee and Procdump.[100]

Strider

Strider has registered its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter to dump credentials any time a domain, local user, or administrator logs in or changes a password.[101]

Suckfly

Suckfly used a signed credential-dumping tool to obtain victim account credentials.[102]

TEMP.Veles

TEMP.Veles has used Mimikatz and a custom tool, SecHack, to harvest credentials.[103]

Threat Group-3390

Threat Group-3390 actors have used gsecdump and a modified version of Mimikatz called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers.[104][105]

Trojan.Karagany

Trojan.Karagany can dump passwords and save them into \ProgramData\Mail\MailAg\pwds.txt.[29]

Unknown Logger

Unknown Logger is capable of stealing usernames and passwords from browsers on the victim machine.[106]

Windows Credential Editor

Windows Credential Editor can dump credentials.[107]

Detection

Windows

Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.

Hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well.

On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.

Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, [115] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. [8] [9] [10] Note: Domain controllers may not log replication requests originating from the default domain controller account. [116]. Also monitor for network protocols [8] [16] and other replication requests [117] from IPs not associated with known domain controllers. [108]

Linux

To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc//maps, where the directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.

References

  1. Flathers, R. (2018, February 19). creddump7. Retrieved April 11, 2018.
  2. Wikipedia. (2018, March 10). Active Directory. Retrieved April 11, 2018.
  3. Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April 11, 2018.
  4. Security Research and Defense. (2014, May 13). MS14-025: An Update for Group Policy Preferences. Retrieved January 28, 2015.
  5. Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell. Retrieved April 11, 2018.
  6. Wilson, B. (2016, April 18). The Importance of KB2871997 and KB2928120 for Credential Protection. Retrieved April 11, 2018.
  7. Microsoft. (2008, July 25). Credential Security Service Provider and SSO for Terminal Services Logon. Retrieved April 11, 2018.
  8. Microsoft. (2017, December 1). MS-DRSR Directory Replication Service (DRS) Remote Protocol. Retrieved December 4, 2017.
  9. Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December 4, 2017.
  10. SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
  11. Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
  12. Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved August 7, 2017.
  13. Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved August 7, 2017.
  14. Warren, J. (2017, July 11). Manipulating User Passwords with Mimikatz. Retrieved December 4, 2017.
  15. Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved August 7, 2017.
  16. Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol. Retrieved December 6, 2017.
  17. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  18. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  19. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  20. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  21. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  22. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  23. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  24. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  25. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  26. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  27. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  28. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  29. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  30. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  31. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  32. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  33. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  34. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  35. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  36. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  37. Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  38. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  39. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  40. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  41. Core Security. (n.d.). Impacket. Retrieved November 2, 2017.
  42. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
  43. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  44. Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017.
  45. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  46. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  47. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  48. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  49. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  50. TrueSec. (n.d.). gsecdump v2.0b5. Retrieved September 29, 2015.
  51. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  52. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  53. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  54. SecureAuth. (n.d.). Retrieved January 15, 2019.
  55. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  56. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  57. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  58. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  59. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
  1. Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.
  2. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  3. Plan, F., et all. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019.
  4. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  5. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  6. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  7. Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017.
  8. Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.
  9. Grafnetter, M. (2015, October 26). Retrieving DPAPI Backup Keys from Active Directory. Retrieved December 19, 2017.
  10. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  11. Gregal, H. (2017, May 12). MimiPenguin. Retrieved December 5, 2017.
  12. Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
  13. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  14. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  15. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  16. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  17. Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
  18. US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
  19. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  20. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  21. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  22. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
  23. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  24. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  25. Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.
  26. Nettitude. (2016, June 8). PoshC2: Powershell C2 Server and Implants. Retrieved April 23, 2019.
  27. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  28. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  29. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  30. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  31. Wikipedia. (1985, June 22). pwdump. Retrieved June 22, 2016.
  32. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  33. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  34. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  35. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  36. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  37. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  38. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  39. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  40. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  41. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  42. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  43. DiMaggio, J.. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016.
  44. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  45. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  46. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  47. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  48. Amplia Security. (n.d.). Windows Credentials Editor (WCE) F.A.Q.. Retrieved December 17, 2015.
  49. Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.
  50. Microsoft. (n.d.). How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account. Retrieved December 4, 2017.
  51. Lich, B. (2016, May 31). Protect derived domain credentials with Credential Guard. Retrieved June 1, 2016.
  52. NSA IAD. (2017, April 20). Secure Host Baseline - Credential Guard. Retrieved April 25, 2017.
  53. Microsoft. (2012, November 29). Using security policies to restrict NTLM traffic. Retrieved December 4, 2017.
  54. Plett, C., Poggemeyer, L. (12, October 26). Securing Privileged Access Reference Material. Retrieved April 25, 2017.
  55. Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved February 13, 2015.
  56. PowerSploit. (n.d.). Retrieved December 4, 2014.
  57. Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved December 4, 2017.
  58. Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.