How to Automate Incident Response to MITRE ATT&CK Technique T1003: OS Credential Dumping

In this blog post, we will outline four incident response playbooks for MITRE ATT&CK Technique T1003: OS Credential Dumping. Credential Dumping is a technique that allows adversaries to steal user authentication materials, such as usernames and passwords, often from system memory. The indicators of compromise associated with this technique include unexpected and extensive read operations on system memory, suspicious processes, and anomalous network traffic patterns. By leveraging automation, security teams can become more strategic with their incident response and rest easy, knowing that there is a consistent process in place to contain and recover from T1003.

Playbook One: CrowdStrike, Palo Alto Next-Generation Firewall (NGFW), and Okta

Triage

In this playbook, we use an event playbook to set a more accurate severity for the incoming alert. For example, if the user involved does not have administrative privileges, their attempt to harvest credentials using lsass will fail. In this case, CrowdStrike EDR has detected a possible credential dumping alert, which has been ingested into Smart SOAR. Then, an event playbook triggers and uses identity data from Okta to categorize the alert as high severity, if the user who executed the command has administrative access to their device.

 

Triage workflow: The event playbook reviews user permissions and escalates the severity level if the user holds an administrator role

Event playbook checks user permission and sets severity to high if the user is admin.

Incident Response

Enrichment

The incident playbook has three main sections: enrichment, containment, and recovery. In the enrichment phase, Okta, CrowdStrike, and Palo Alto are used to get more details on the user, device, and security rules. This data is parsed and displayed to the analyst or investigator for quick decision-making.

Credential dumping enrichment workflow using Okta, CrowdStrike, and Palo Alto NGFW

 

Containment

Once the threat has been confirmed, CrowdStrike and Okta are used to deactivate the user and stop the malicious process. At the same time, Palo Alto NGFW can block any communication with a suspicious IP address and the investigator can take things further and quarantine the device. These commands can be triggered automatically or manually.

Credential dumping containment workflow using CrowdStrike, Okta, and Palo Alto NGFW

Recovery

In the recovery stage, the analyst is prompted to reset the affected user’s password. Once this is done, they can reconnect the host back to the network and re-activate the user’s account. Then, the incident is closed and the status of the alert is updated in CrowdStrike.

Smart SOAR Credential dumping recovery workflow

Playbook Two: Microsoft Defender for Endpoint, Palo Alto NGFW, and Okta

Enrichment

The first stage of this playbook is enrichment. In this stage, Okta and Microsoft Defender for Endpoint are used to consolidate all activity logs on the user and device that are suspected of running the malicious process. These logs can indicate any suspicious outbound connection requests or the execution of common credential dumping commands.

During the enrichment phase of a credential dumping workflow, we utilize both Okta and Microsoft Defender for Endpoint to compile all activity logs associated with a user and device suspected of operating a harmful process

Containment

Once a credential dumping threat has been confirmed, Smart SOAR can automatically disable the user, quarantine the device, and block any suspicious entities, such as destination IPs and local files. This prevents the threat actor from establishing persistence or moving to a later stage attack like lateral movement.

Containment workflow for Smart SOAR where it autonomously deactivates the user, isolates the device

Recovery

In the recovery phase, Okta can reset the compromised user’s account and initiate the same process for all users whose credentials may have been exposed in the attack. Then, the playbook can reactivate the user isolated in the containment phase. Similarly, Defender for Endpoint scans can be triggered and devices brought back onto the network when they are approved. Finally, Palo Alto NGFW security rules can be updated to prevent access to malicious sites or IP addresses that may have been used to gain access in the first place.

During the recovery stage, Okta can renew the hacked user's account and launch the identical process for all users who may have had their credentials revealed during the breach

Playbook Three: Microsoft Defender for Endpoint, Zscaler, and Active Directory

Enrichment

Similar to the previous playbook, the first stage in this playbook is enrichment. This is where Smart SOAR consolidates relevant data from systems that were not included in the original alert. For example, user information from Active Directory, such as groups and management chains, and activity logs for the device and user. This data was not included in the original alert from Microsoft Defender for Endpoint, but can be retrieved through playbooks via APIs. The playbook also retrieves a file analysis from Zscaler if a malicious file is suspected of originating the attack.

During data enrichment, Smart SOAR gathers additional user information and activity logs not included in the original Microsoft Defender alert. Using APIs, it also fetches file analysis from Zscaler when a malicious file is suspected.

Containment

Microsoft Defender for Endpoint and Active Directory are perfect for containing an attack. If a user and device are compromised, they can both be taken offline and the user’s application access can be revoked. In the recovery stage, we can take these assets back online after they have been remediated.

Credential dumping containment workflow enabling the isolation of compromised user and device, and suspending the user's application privileges

Recovery

As quickly as Defender and Active Directory can take assets offline, they can bring them back, granting the user the access they need to continue working. Then, new indicators are created in Defender to help identify threats sooner.

Credential dumping recovery workflow

Playbook Four: Trellix (formerly McAfee) EDR, FortiGate NGFW, and Okta

Enrichment

In the first stage of this playbook, we retrieve relevant information on the user and potentially affected device. Trellix’s “Get Device Info”, “List Task History”, and “List Running Server Task” commands help us get a clear picture of what activity has been taken on the device. At the same time, Okta’s “Get User Info”, and “Get Activity Log” commands show us user details.

 

Credential dumping enrichment workflow with Trellix,and Okta

Containment

Upon identifying Credential Dumping, we activate the response stage. Using Trellix’s “Assign Policy to System” command, we apply appropriate security policies to affected systems. The “Scan Endpoint” command is used to further investigate the vulnerabilities on the device. FortiGate is used to block suspicious IP addresses and Okta is deployed to disable the compromised user account.

Credential dumping enrichment workflow with Trellix, Fotigate, and,Okta

Recovery

During the recovery stage, FortiGate’s “Add IPs to Address Group” command enables us to isolate IP addresses associated with the attack, thereby disrupting the threat actor’s communication channels. Okta’s “Reset User Password” and “Activate User” commands secure potentially compromised accounts and bring disabled users back online.

 

Credential dumping recovery workflow with Trellix and,Okta

Takeaway

These four playbooks are examples of how security teams can use Smart SOAR to integrate their standalone security tools into a unified system. This creates an automated, 24/7, consistent approach to incident response.

In this scenario we used Trellix EDR, CrowdStrike, and Microsoft Defender for Endpoint to gather details on affected machines then assist with containment and recovery. We also used Okta and Active Directory to check user permissions and perform account resets if needed. Zscaler and Palo Alto NGFW were used to monitor and block suspicious network traffic. Smart SOAR integrates with hundreds of security tools. Reach out to us if you’re curious about how it can complement your stack.

Powering the World’s Best SecOps Teams

Get Started with D3 Security