# Part 3 - Credential Dumping & Threat Detection ## **Now We'll Get Adversarial** ### **Setting Up the Attack** #### **Access Sliver C2** 1. Open an **SSH session** on your Linux VM. 2. Drop into a **C2 session** on your victim host. 3. If needed, retrace your steps from Part 2. #### **Check Privileges** 1. Run the following command to check permissions: ```bash getprivs ``` 2. Look for **SeDebugPrivilege** (required for advanced actions). 3. If missing, **relaunch your C2 implant with admin rights**. *** ### **Dump LSASS Process (Credential Theft)** #### **Why?** Attackers dump the **LSASS process** to steal **passwords and hashes** stored in memory. These credentials can be used to access other systems. #### **How?** They use tools like:\ 🔹 **Procdump** – A legit Microsoft tool misused for dumping LSASS. #### **Run the following command to dump LSASS:** ```bash procdump -n lsass.exe -s lsass.dmp ```

\ 📌 This will save the dump on your **Sliver C2 server**.\ ❗ If the command **fails**, telemetry may still have been generated, allowing for detection. *** ### **Detecting the Attack** #### **Analyze Telemetry in LimaCharlie** 1. Open the **LimaCharlie web UI**. 2. Navigate to **Timeline** on your Windows VM sensor. 1. Use **Event Type Filters** to search for `SENSITIVE_PROCESS_ACCESS`.\

### Key Observations #### Source Process * **File Path:** `C:\Users\User\Downloads\FORTHCOMING_FLASH.exe` * **Command Line Execution:** `"C:\Users\User\Downloads\FORTHCOMING_FLASH.exe"` * **Unsigned Binary:** Yes (Potentially Untrusted) * **Hash:** `6923c3553a1909b58c3b512be64a2e6113e998319ce39352c616f0219cb35` #### Target Process * **File Path:** `C:\Windows\System32\lsass.exe` * **Command Line Execution:** `"C:\Windows\System32\lsass.exe"` * **Signed Binary:** Yes (Legitimate System File) ### Security Concern * **Potential Credential Dumping:** The unsigned binary attempted access to `lsass.exe`, a critical authentication process. * **Possible Malware Activity:** Credential theft tactics often target `lsass.exe`. 3. Identify the event related to **LSASS access**. #### **Create a Detection & Response (D\&R) Rule** 1. Click **Create Rule** based on the detected event.

2. Replace the **Detect** section with:

event: SENSITIVE_PROCESS_ACCESS
   op: ends with
   path: event/*/TARGET/FILE_PATH
   value: lsass.exe

3. Replace the **Respond** section with: ```yaml - action: report name: LSASS access ```

4. **Save the rule** as **"LSASS Accessed"** and enable it. #### **Test the Detection Rule** 1. Click **Target Event** to see the raw event.

2. Scroll to the bottom and click **Test Event**.

3. If a **"Match"** appears, the rule is correctly detecting **LSASS access**. *** ### **Validating the Detection** #### **Re-run the Attack** 1. Return to your **Sliver server** and rerun: ```bash procdump -n lsass.exe -s lsass.dmp ``` 2. If your **C2 session dies**, relaunch the malware.

#### **Check for Detections** 1. Open **LimaCharlie** and go to the **Detections** tab.

2. Click **"Back to Sensors"** if needed. 3. Expand the detection entry to view the **raw event**. 4. Click **View Event Timeline** to analyze when and how the attack occurred.