Lab OS.4 — Credential Theft Detection

Lab Overview

The Scenario

Your SOC has confirmed initial compromise on the endpoint WIN-SERVER-01. A C2 beacon was identified in a previous investigation (Lab OS.3), and now the threat actor has been observed executing post-exploitation activity. Threat intelligence indicates the group uses credential harvesting techniques before lateral movement.

Your task is to use Velociraptor to hunt for credential theft indicators on the compromised endpoint. The attacker may have targeted LSASS process memory, exported registry hives (SAM/SYSTEM/SECURITY), used known credential dumping tools, or staged credentials for exfiltration. You must identify every credential theft technique used and document the evidence chain.

The planted artifacts simulate a realistic attack where the threat actor used multiple credential theft methods — some stealthy, some aggressive — to maximize their chances of obtaining usable credentials before network defenders could respond.

Part 1: Detecting LSASS Memory Access

LSASS (Local Security Authority Subsystem Service) holds plaintext passwords, NTLM hashes, and Kerberos tickets in memory. Dumping LSASS is the single most common credential theft technique.

Step 1.1: Check for LSASS Access with Sysmon

Launch the Velociraptor artifact Windows.EventLogs.EvtxHunter and search for Sysmon Event ID 10 (Process Access) targeting lsass.exe:

Artifact: Windows.EventLogs.EvtxHunter
Parameters:
  EvtxGlob: C:/Windows/System32/winevt/Logs/Microsoft-Windows-Sysmon%4Operational.evtx
  SearchRegex: lsass

Expected Results: Look for entries where a non-system process accessed lsass.exe with suspicious access masks:

• 0x1010 — PROCESS_QUERY_LIMITED_INFORMATION + PROCESS_VM_READ (MiniDump pattern)
• 0x1FFFFF — PROCESS_ALL_ACCESS (aggressive, full access)

Record the source process that accessed LSASS. Legitimate processes include csrss.exe, services.exe, and svchost.exe. Anything else warrants investigation.

Step 1.2: Hunt for MiniDump-Style LSASS Dumps

The most common LSASS dump method uses comsvcs.dll via rundll32:

Artifact: Windows.Search.FileFinder
Parameters:
  SearchFilesGlob: C:/Windows/Temp/**/*.dmp

Also check the user's temp and common staging directories:

Artifact: Windows.Search.FileFinder
Parameters:
  SearchFilesGlob: C:/Users/*/AppData/Local/Temp/**/*.dmp

Expected Results: You should find a .dmp file created recently. Note the file size — LSASS dumps are typically 30–150 MB depending on the number of active sessions.

Step 1.3: Check for procdump.exe or comsvcs.dll Usage

Run the artifact to check executed commands:

Artifact: Windows.System.CmdlineHistory

Search the results for:

• procdump — Sysinternals tool commonly abused for LSASS dumping
• comsvcs.dll — Native Windows DLL with MiniDump export
• rundll32 with MiniDump — The classic LOLBin credential dump

Document: Record every command line that references LSASS, process IDs, or dump operations.

Click to enlarge

Part 2: Registry Hive Credential Extraction

Windows stores local account hashes in the SAM registry hive, encrypted with the SYSTEM hive's boot key. Attackers export both to crack passwords offline.

Step 2.1: Hunt for Registry Export Commands

Artifact: Windows.System.CmdlineHistory

Search for reg save or reg export commands targeting:

• HKLM\SAM — Contains local account password hashes
• HKLM\SYSTEM — Contains the boot key to decrypt SAM
• HKLM\SECURITY — Contains cached domain credentials and LSA secrets

Expected Results: You should find evidence of at least two registry hive exports. Document the exact commands, output paths, and timestamps.

Step 2.2: Locate Exported Hive Files

Artifact: Windows.Search.FileFinder
Parameters:
  SearchFilesGlob: C:/**/{sam,system,security,sam.save,system.save,security.save}
  SearchFilesGlobTable:
    - C:/Windows/Temp/**/sam*
    - C:/Windows/Temp/**/system*
    - C:/Users/**/sam*
    - C:/Users/**/system*

Expected Results: Exported hive files stored outside their normal C:\Windows\System32\config location are strong indicators of credential theft. Note the file sizes and creation timestamps.

Step 2.3: Check for Shadow Copy Abuse

Sophisticated attackers extract SAM/SYSTEM from Volume Shadow Copies to avoid file locks:

Artifact: Windows.System.CmdlineHistory

Search for vssadmin, wmic shadowcopy, or esentutl commands. These may indicate the attacker created or accessed shadow copies to extract locked registry hives.

Part 3: Tool-Based Credential Theft Detection

Step 3.1: Hunt for Known Credential Dumping Tools

Artifact: Windows.Search.FileFinder
Parameters:
  SearchFilesGlob: C:/**/{mimikatz*,mimi*,sekurlsa*,kiwi*,lazagne*,pypykatz*,SafetyKatz*}

Also check for renamed binaries by searching for common Mimikatz string artifacts in memory or files:

Artifact: Windows.Detection.Yara.NTFS
Parameters:
  PathRegex: .(exe|dll|ps1|py)$
  YaraRule: |
    rule mimikatz_strings {
      strings:
        $s1 = "sekurlsa::logonpasswords" ascii wide
        $s2 = "privilege::debug" ascii wide
        $s3 = "token::elevate" ascii wide
        $s4 = "lsadump::sam" ascii wide
      condition:
        any of them
    }

Expected Results: Even if the attacker renamed the tool, YARA-based detection catches the internal strings.

Step 3.2: PowerShell Credential Theft

Artifact: Windows.EventLogs.EvtxHunter
Parameters:
  EvtxGlob: C:/Windows/System32/winevt/Logs/Microsoft-Windows-PowerShell%4Operational.evtx
  SearchRegex: (Invoke-Mimikatz|Get-Credential|SecureString|ConvertFrom-SecureString|credential|dumpert|Out-Minidump)

Expected Results: Look for PowerShell commands that load credential theft modules, invoke Mimikatz in memory, or convert secure strings back to plaintext.

Part 4: Pass-the-Hash and Lateral Movement Preparation

Step 4.1: Detect Pass-the-Hash Evidence

Pass-the-Hash (PtH) uses stolen NTLM hashes to authenticate without knowing the plaintext password:

Artifact: Windows.EventLogs.EvtxHunter
Parameters:
  EvtxGlob: C:/Windows/System32/winevt/Logs/Security.evtx
  SearchRegex: (4624|4625)

Filter for Logon Type 9 (NewCredentials) or Type 3 (Network) where the authentication package is NTLM. Pass-the-Hash typically shows as:

• Event ID 4624 with Logon Type 9
• Authentication Package: NTLM (not Kerberos)
• Source and target on the same machine (local PtH testing)

Step 4.2: Check for Credential Staging

Attackers often stage stolen credentials in text files before exfiltration:

Artifact: Windows.Search.FileFinder
Parameters:
  SearchFilesGlob: C:/Users/**/Desktop/**/{cred*,pass*,hash*,dump*,*.txt}

Also check common staging directories:

Artifact: Windows.Search.FileFinder
Parameters:
  SearchFilesGlob: C:/Windows/Temp/**/{cred*,pass*,hash*,*.txt}

Expected Results: Look for text files containing usernames, hashes, or extracted credentials. Document the contents and timestamps.

Click to enlarge

Part 5: Build the Investigation Report

Compile all findings into a structured credential theft investigation report:

CREDENTIAL THEFT INVESTIGATION REPORT
═══════════════════════════════════════
Endpoint: WIN-SERVER-01
Date: [today's date]
Analyst: [your name]
Classification: CONFIRMED CREDENTIAL THEFT

TECHNIQUE 1: LSASS Memory Dump
  Tool Used: [comsvcs.dll / procdump / other]
  Evidence: [file path, command line, timestamp]
  Access Mask: [Sysmon Event 10 access mask]
  Impact: Plaintext passwords + NTLM hashes exposed

TECHNIQUE 2: Registry Hive Export
  Commands: [reg save commands found]
  Files Found: [exported SAM/SYSTEM paths]
  Impact: Local account hashes available for offline cracking

TECHNIQUE 3: Known Tool Usage
  Tool: [mimikatz / lazagne / custom]
  Detection Method: [file finder / YARA / PowerShell logs]
  Commands Executed: [specific commands or modules used]

TECHNIQUE 4: Pass-the-Hash Preparation
  Evidence: [logon events, credential staging files]
  Target Accounts: [accounts whose hashes were stolen]
  Lateral Movement Risk: [HIGH/CRITICAL]

TIMELINE:
  [timestamp] - First LSASS access detected
  [timestamp] - Registry hives exported
  [timestamp] - Credential file staged
  [timestamp] - PtH logon attempt observed

RECOMMENDATIONS:
  1. Force password reset for all accounts on WIN-SERVER-01
  2. Revoke Kerberos tickets (krbtgt double-reset if domain compromise suspected)
  3. Monitor for lateral movement using stolen credentials
  4. Isolate endpoint for full forensic imaging

Deliverable Checklist

Before completing the lab, ensure you have:

• LSASS Access Evidence — Sysmon Event 10 records showing non-system process accessing lsass.exe
• Dump File Located — .dmp file(s) found outside normal system directories
• Registry Hive Exports — reg save commands and exported SAM/SYSTEM files documented
• Tool Detection — Credential dumping tool identified via file search or YARA scan
• PowerShell Evidence — Suspicious PowerShell commands related to credential access reviewed
• Pass-the-Hash Indicators — NTLM logon events analyzed for PtH patterns
• Credential Staging — Any text files with extracted credentials located
• Complete Investigation Report — All techniques documented with evidence and timeline

What's Next

In Lab OS.5 — Full Persistence Audit, you'll shift from credential theft to persistence — systematically auditing every Windows persistence mechanism to find how the attacker ensured they could return even after a reboot. You'll build a comprehensive Persistence Audit Matrix covering registry keys, scheduled tasks, services, WMI subscriptions, and more.