An attack chain comes with it a number of steps and sequential processes. Credential dumping being crucial, it is vital for troubleshooting its presence early enough. Once an attack to a system is launched, the attacker sets foot into the system and laterally moves within identifying their target. During this lateral movement is when the attacker gets passwords and logins of the administrator account first, a process known as privilege escalation. Once these privileges are acquired, the attacker is therefore at a position to access even the most sensitive information in the system using credential dumping methods. Privilege escalation is always performed before any credential dumping attempts.

Detecting, monitoring, and blocking of any attacker's lateral movement is vital thereof. To do this, powerful technology is necessary. Across all control points. Norton security offers detailed defense under the auspices of its portfolio as a defense strategy to onset any attack chain. Our solutions detect against precursor events like privilege escalation and threat delivery, post -theft credential utilization, and blocking any credential dumping attempts after detection.

Detecting credential dumping

Protecting against all forms of credential dumping has proven to be daunting. This is sparked by the fact that a majority of the attackers fake the legitimacy of their activities within the system. They even leverage on standard tools of administration to realize the dumping.

Following the Norton.com/setup, any attempts at credential dumping are uncovered by our Norton solutions. Through the Endpoint Detection and Response (EDR) feature, Norton makes visible any attempt to credential theft through the exploration of credential dumping techniques that inculcate;

  • Abusing ticket -granting services to get hashes of the tickets for offline credential cracking

  • Penetrating the Windows Local Security Authority Subsystem Service (LSASS) and reading its memory

  • Accessing credentials through the credential manager for windows

  • Accessing user credential storage e.g. mails

  • Keylogging

  • Injecting into the registry Security Accounts Manager

  • Tapping into network traffic to sniff for credentials

When any credential theft is identified, Norton's EDR reports what was observed in terms of the attacker's goal and technique.

From EDR reports, Endpoint protection (EP) as a part blocks the latter credential dumping techniques through its technologies, including:

  • Real-time analysis of all running processes

  • Contrasting between information about an attack program from millions of Norton users

  • Pre -execution evaluation of the activities in the process

  • Heuristic search which searches for known attributes of a program associated with credential dumping.

  • Identifying malicious processes through machine learning techniques

For the ultimate solution to credential dumping, the Norton setup at www.norton.com/setup would be accommodating.

Published by Justin Schumakar