1. Home
  2. Techniques
  3. Enterprise
  4. OS Credential Dumping
  5. LSASS Memory

OS Credential Dumping: LSASS Memory

ID Name
T1003.001 LSASS Memory
T1003.002 Security Account Manager
T1003.003 NTDS
T1003.004 LSA Secrets
T1003.005 Cached Domain Credentials
T1003.006 DCSync
T1003.007 Proc Filesystem
T1003.008 /etc/passwd and /etc/shadow

Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.

As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.

For example, on the target host use procdump:

  • procdump -ma lsass.exe lsass_dump

Locally, mimikatz can be run using:

  • sekurlsa::Minidump lsassdump.dmp
  • sekurlsa::logonPasswords

Built-in Windows tools such as comsvcs.dll can also be used:

  • rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full[1][2]

Similar to Image File Execution Options Injection, the silent process exit mechanism can be abused to create a memory dump of lsass.exe through Windows Error Reporting (WerFault.exe).[3]

Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.[4]

The following SSPs can be used to access credentials:

  • Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
  • Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.[5]
  • Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
  • CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.[5]
ID: T1003.001
Sub-technique of:  T1003
Tactic: Credential Access
Platforms: Windows
Contributors: Ed Williams, Trustwave, SpiderLabs; Edward Millington; Michael Forret, Quorum Cyber; Olaf Hartong, Falcon Force
Version: 1.5
Created: 11 February 2020
Last Modified: 13 August 2024
Version Permalink

Procedure Examples

ID Name Description
C0025 2016 Ukraine Electric Power Attack

During the 2016 Ukraine Electric Power Attack, Sandworm Team used Mimikatz to capture and use legitimate credentials.[6]
G1030 Agrius

Agrius used tools such as Mimikatz to dump LSASS memory to capture credentials in victim environments.[7]
G0006 APT1

APT1 has been known to use credential dumping using Mimikatz.[8]
G0007 APT28

APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.[9][10] They have also dumped the LSASS process memory using the MiniDump function.[11]
G0022 APT3

APT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument "dig."[12]
G0050 APT32

APT32 used Mimikatz and customized versions of Windows Credential Dumper to harvest credentials.[13][14]
G0064 APT33

APT33 has used a variety of publicly available tools like LaZagne, Mimikatz, and ProcDump to dump credentials.[15][16]
G0087 APT39

APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials.[17]
G0096 APT41

APT41 has used hashdump, Mimikatz, Procdump, and the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.[18][19][20]
G1023 APT5

APT5 has used the Task Manager process to target LSASS process memory in order to obtain NTLM password hashes. APT5 has also dumped clear text passwords and hashes from memory using Mimikatz hosted through an RDP mapped drive.[21]
G0143 Aquatic Panda

Aquatic Panda has attempted to harvest credentials through LSASS memory dumping.[22]
S0606 Bad Rabbit

Bad Rabbit has used Mimikatz to harvest credentials from the victim's machine.[23]
G0108 Blue Mockingbird

Blue Mockingbird has used Mimikatz to retrieve credentials from LSASS memory.[24]
G0060 BRONZE BUTLER

BRONZE BUTLER has used various tools (such as Mimikatz and WCE) to perform credential dumping.[25]
C0032 C0032

During the C0032 campaign, TEMP.Veles used Mimikatz and a custom tool, SecHack, to harvest credentials.[26]
G0003 Cleaver

Cleaver has been known to dump credentials using Mimikatz and Windows Credential Editor.[27]
S0154 Cobalt Strike

Cobalt Strike can spawn a job to inject into LSASS memory and dump password hashes.[28]
S0046 CozyCar

CozyCar has executed Mimikatz to harvest stored credentials from the victim and further victim penetration.[29]
C0029 Cutting Edge

During Cutting Edge, threat actors used Task Manager to dump LSASS memory from Windows devices to disk.[30]
S0187 Daserf

Daserf leverages Mimikatz and Windows Credential Editor to steal credentials.[31]
G1006 Earth Lusca

Earth Lusca has used ProcDump to obtain the hashes of credentials by dumping the memory of the LSASS process.[32]
G1003 Ember Bear

Ember Bear uses legitimate Sysinternals tools such as procdump to dump LSASS memory.[33][34]
S0367 Emotet

Emotet has been observed dropping and executing password grabber modules including Mimikatz.[35][36]
S0363 Empire

Empire contains an implementation of Mimikatz to gather credentials from memory.[37]
G1016 FIN13

FIN13 has obtained memory dumps with ProcDump to parse and extract credentials from a victim's LSASS process memory with Mimikatz.[38][39]
G0037 FIN6

FIN6 has used Windows Credential Editor for credential dumping.[40][41]

G0061 FIN8

FIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).[42]
G0117 Fox Kitten

Fox Kitten has used prodump to dump credentials from LSASS.[43]
G0093 GALLIUM

GALLIUM used a modified version of Mimikatz along with a PowerShell-based Mimikatz to dump credentials on the victim machines.[44][45]
S0342 GreyEnergy

GreyEnergy has a module for Mimikatz to collect Windows credentials from the victim’s machine.[46]
G0125 HAFNIUM

HAFNIUM has used procdump to dump the LSASS process memory.[47][1][48]
C0038 HomeLand Justice

During HomeLand Justice, threat actors dumped LSASS memory on compromised hosts.[49]
S0357 Impacket

SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.[50]
G0119 Indrik Spider

Indrik Spider used Cobalt Strike to carry out credential dumping using ProcDump.[51]
G0004 Ke3chang

Ke3chang has dumped credentials, including by using Mimikatz.[52][53][54]
G0094 Kimsuky

Kimsuky has gathered credentials using Mimikatz and ProcDump.[55][56][57]
S0349 LaZagne

LaZagne can perform credential dumping from memory to obtain account and password information.[58]
G0077 Leafminer

Leafminer used several tools for retrieving login and password information, including LaZagne and Mimikatz.[59]
G0065 Leviathan

Leviathan has used publicly available tools to dump password hashes, including ProcDump and WCE.[60]
S0681 Lizar

Lizar can run Mimikatz to harvest credentials.[61][62]

S0121 Lslsass

Lslsass can dump active logon session password hashes from the lsass process.[8]
S1060 Mafalda

Mafalda can dump password hashes from LSASS.exe.[63]
G0059 Magic Hound

Magic Hound has stolen domain credentials by dumping LSASS process memory using Task Manager, comsvcs.dll, and from a Microsoft Active Directory Domain Controller using Mimikatz.[64][65][66][67]
S0002 Mimikatz

Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the LSASS Memory.[68][69][70][71]
G1036 Moonstone Sleet

Moonstone Sleet retrieved credentials from LSASS memory.[72]
G0069 MuddyWater

MuddyWater has performed credential dumping with Mimikatz and procdump64.exe.[73][74][75]
S0056 Net Crawler

Net Crawler uses credential dumpers such as Mimikatz and Windows Credential Editor to extract cached credentials from Windows systems.[27]
S0368 NotPetya

NotPetya contains a modified version of Mimikatz to help gather credentials that are later used for lateral movement.[76][77][71]
G0049 OilRig

OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[78][79][64][80]
S0439 Okrum

Okrum was seen using MimikatzLite to perform credential dumping.[81]
S0365 Olympic Destroyer

Olympic Destroyer contains a module that tries to obtain credentials from LSASS, similar to Mimikatz. These credentials are used with PsExec and Windows Management Instrumentation to help the malware propagate itself across a network.[82]
C0014 Operation Wocao

During Operation Wocao, threat actors used ProcDump to dump credentials from memory.[83]
G0068 PLATINUM

PLATINUM has used keyloggers that are also capable of dumping credentials.[84]
G1040 Play

Play has used Mimikatz and the Windows Task Manager to dump LSASS process memory.[85]
S0428 PoetRAT

PoetRAT used voStro.exe, a compiled pypykatz (Python version of Mimikatz), to steal credentials.[86]
S0378 PoshC2

PoshC2 contains an implementation of Mimikatz to gather credentials from memory.[87]
S0194 PowerSploit

PowerSploit contains a collection of Exfiltration modules that can harvest credentials using Mimikatz.[88][89]
S0192 Pupy

Pupy can execute Lazagne as well as Mimikatz using PowerShell.[90]
S0583 Pysa

Pysa can perform OS credential dumping using Mimikatz.[91]
G1039 RedCurl

RedCurl used LaZagne to obtain passwords from memory.[92][93]
G0034 Sandworm Team

Sandworm Team has used its plainpwd tool, a modified version of Mimikatz, and comsvcs.dll to dump Windows credentials from system memory.[94][95][96]

G0091 Silence

Silence has used the Farse6.1 utility (based on Mimikatz) to extract credentials from lsass.exe.[97]
S0692 SILENTTRINITY

SILENTTRINITY can create a memory dump of LSASS via the MiniDumpWriteDump Win32 API call.[98]
G0027 Threat Group-3390

Threat Group-3390 actors have used a modified version of Mimikatz called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers.[99][100]
C0030 Triton Safety Instrumented System Attack

In the Triton Safety Instrumented System Attack, TEMP.Veles used Mimikatz.[101]
G1017 Volt Typhoon

Volt Typhoon has attempted to access hashed credentials from the LSASS process memory space.[102][103]
G0107 Whitefly

Whitefly has used Mimikatz to obtain credentials.[104]
S0005 Windows Credential Editor

Windows Credential Editor can dump credentials.[105]
G0102 Wizard Spider

Wizard Spider has dumped the lsass.exe memory to harvest credentials with the use of open-source tool LaZagne.[106]

Mitigations

ID Mitigation Description
M1040 Behavior Prevention on Endpoint

On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. [107]
M1043 Credential Access Protection

With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. It also does not protect against all forms of credential dumping.[108][109]
M1028 Operating System Configuration

Consider disabling or restricting NTLM.[110] Consider disabling WDigest authentication.[111]
M1027 Password Policies

Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
M1026 Privileged Account Management

Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.
M1025 Privileged Process Integrity

On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.[112]
M1017 User Training

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,[113] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

Note: Event ID 4104 from the "Microsoft-Windows-PowerShell/Operational" log captures Powershell script blocks, whose contents can be further analyzed to determine if they’re performing LSASS dumping.

Analytic 1 - Unauthorized command execution of LSASS memory.

index=security sourcetype="Powershell" EventCode=4104Image="powershell.exe" CommandLine IN ("Invoke-Mimikatz", "procdump.exe -ma lsass", "rundll32.exe comsvcs.dll, MiniDump", "taskmgr.exe* /dump")

DS0022 File File Creation

Monitor for the unexpected creation of memory dump files for the LSASS process (e.g., lsass{*}.dmp).

Analytic 1 - Unexpected creation of LSASS dump files.

index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName="\lsass.dmp" | where ProcessName IN ("procdump.exe", "rundll32.exe", "taskmgr.exe", "powershell.exe", "wmic.exe", "schtasks.exe", "cmd.exe", "comsvcs.dll")

DS0028 Logon Session Logon Session Creation

Monitor for newly constructed logon behavior from credentials being accessed by process memory of the LSASS. For example, detect behaviors of Secretsdump against a system, not being a Domain Controller.

Analytic 1 - Unusual logon sessions from LSASS memory access.

index=security sourcetype="WinEventLog:Security" EventCode=4624 TargetUserName="*"| eval LogonType=case(Logon_Type=="2", "Interactive", Logon_Type=="3", "Network", Logon_Type=="4", "Batch", Logon_Type=="5", "Service", Logon_Type=="7", "Unlock", Logon_Type=="8", "NetworkCleartext", Logon_Type=="9", "NewCredentials", Logon_Type=="10", "RemoteInteractive", Logon_Type=="11", "CachedInteractive")| where LogonType IN ("Interactive", "RemoteInteractive", "NetworkCleartext")

DS0009 Process OS API Execution

Monitor for API calls that may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). OS API calls associated with LSASS process dumping include OpenProcess and MiniDumpWriteDump. Execution of these functions might trigger security log ids such as 4663 (Microsoft Security Auditing) and 10 (Microsoft Sysmon)

Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary.

Process Access

Monitor for unexpected processes interacting with LSASS.exe.[114] Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.

Usage of Procdump and Windows Task Manager for LSASS dumping can also be detected via process creation events, since they both have a predictable set of command-line arguments (i.e., for specifying the process to be dumped).

Note: Sysmon process access events (Event ID 10) can be extremely noisy, which necessitates tweaking the Sysmon configuration file. We recommend taking an approach analogous to that of the Sysmon Modular Configuration project (https://github.com/olafhartong/sysmon-modular) and filtering out any benign processes in your environment that produce large volumes of process access events.

The GrantedAccess value in the below analytic for Mimikatz is meant to be used solely as an illustrative example of detecting Mimikatz LSASS access. However, actual GrantedAccess values change over time with different versions of Mimikatz and therefore detection engineers need to verify the accuracy of any GrantedAccess values that their analytics are using.

Analytic 1 - Mimikatz

(sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode="10" AND TargetImage= "lsass.exe" AND (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)CallTrace="C:\windows\SYSTEM32\ntdll.dll+|C:\windows\System32\KERNELBASE.dll+20edd|UNKNOWN(*)")

Analytic 2 - Suspicious process access to LSASS memory.

((sourceType=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode="10") AND TargetImage= "*lsass.exe" AND SourceImage IN ("*mimikatz.exe", "*procdump.exe", "*rundll32.exe", "*taskmgr.exe", "*powershell.exe")
Process Creation

Monitor for newly executed processes that may be indicative of credential dumping. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process. Try monitoring for Sysmon Event ID 1 and/or Windows Security Event ID 4688 for process activity.

Note: - Rundll32/MiniDump has a different command-line syntax than that of Procdump, in that the process being dumped is specified via process ID instead of name (as with Procdump). Therefore, because the LSASS process ID is non-deterministic, the MiniDump detection isn’t specific to LSASS dumping and may need to be tuned to help reduce false positives.- When monitoring for .dll functions on the command-line be sure to also check for the ordinal associated with the function.

Analytic 1 - Unexpected process creation related to LSASS memory dumping.

index=security sourcetype="WinEventLog:Security" EventCode=4688 Image IN ("procdump.exe", "rundll32.exe", "taskmgr.exe", "powershell.exe") CommandLine IN (" -ma lsass", "rundll32.exe comsvcs.dll, MiniDump", "taskmgr.exe /dump", "powershell.exe -Command Get-Process lsass | Out-MemoryDump")
DS0024 Windows Registry Windows Registry Key Modification

Monitor for changes to Registry entries associated with credential access that is stored in the process memory of the LSASS. For example, the adversary can modify the SAM and SYSTEM files.

Analytics 1 - Unauthorized registry modifications related to LSASS.

index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName IN ("\SYSTEM\CurrentControlSet\Services\", "\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest", "\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos", "*\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0") | where ProcessName IN ("reg.exe", "powershell.exe", "wmic.exe", "schtasks.exe", "cmd.exe", "rundll32.exe")

References

  1. Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
  2. Symantec. (2021, June 10). Attacks Against the Government Sector. Retrieved September 28, 2021.
  3. Gilboa, A. (2021, February 16). LSASS Memory Dumps are Stealthier than Ever Before - Part 2. Retrieved December 27, 2023.
  4. Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017.
  5. Wilson, B. (2016, April 18). The Importance of KB2871997 and KB2928120 for Credential Protection. Retrieved April 11, 2018.
  6. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  7. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  8. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  9. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  10. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  11. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  12. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  13. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  14. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  15. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  16. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  17. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  18. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  19. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
  20. DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024.
  21. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  22. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
  23. M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021.
  24. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  25. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  26. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  27. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  28. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  29. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  30. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
  31. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  32. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  33. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
  34. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  35. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
  36. Office of Information Security, Health Sector Cybersecurity Coordination Center. (2023, November 16). Emotet Malware: The Enduring and Persistent Threat to the Health Sector. Retrieved June 19, 2024.
  37. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  38. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
  39. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  40. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  41. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  42. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  43. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  44. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  45. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  46. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  47. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
  48. Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022.
  49. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  50. SecureAuth. (n.d.). Retrieved January 15, 2019.
  51. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  52. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  53. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  54. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  55. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  56. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  57. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  1. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
  2. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  3. Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019.
  4. Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022.
  5. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
  6. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  7. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  8. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  9. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  10. MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
  11. Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.
  12. Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved August 7, 2017.
  13. Grafnetter, M. (2015, October 26). Retrieving DPAPI Backup Keys from Active Directory. Retrieved December 19, 2017.
  14. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  15. Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024.
  16. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  17. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  18. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  19. Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
  20. US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
  21. Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.
  22. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  23. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
  24. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  25. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
  26. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  27. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  28. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  29. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  30. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  31. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  32. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  33. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  34. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
  35. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  36. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  37. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  38. Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.
  39. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
  40. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  41. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  42. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  43. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  44. Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved January 6, 2021.
  45. Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.
  46. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  47. Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.
  48. Amplia Security. (n.d.). Windows Credentials Editor (WCE) F.A.Q.. Retrieved September 12, 2024.
  49. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  50. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  51. Lich, B. (2016, May 31). Protect derived domain credentials with Credential Guard. Retrieved June 1, 2016.
  52. NSA IAD. (2017, April 20). Secure Host Baseline - Credential Guard. Retrieved April 25, 2017.
  53. Microsoft. (2012, November 29). Using security policies to restrict NTLM traffic. Retrieved December 4, 2017.
  54. Microsoft. (2014, May 13). Microsoft Security Advisory: Update to improve credentials protection and management. Retrieved June 8, 2020.
  55. Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved February 13, 2015.
  56. PowerSploit. (n.d.). Retrieved December 4, 2014.
  57. French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.