credential dumping

The easiest way to break into a house is to have the keys to the front door. I’m not saying that it’s necessarily easy to get your hands on the keys. But once you have them, breaking into the house is trivial. The same is true for IT systems, smartphones, tablets, laptops, desktops, and servers, where the keys are credentials. And again, that doesn’t mean that accessing those credentials will be easy, but once you do have them, you’re in.

That’s also the main reason credential-based online attacks are so prevalent. Credential dumping is often the first step in many online attacks, such as ransomware attacks. Protecting yourself against credential dumping is critical.

There are many types of credential-based attacks, and I’ve previously covered a few of them, from credential stuffing to pass the hash attacks to masquerade attacks. In this post, we’re going to look at credential dumping, how it works, and what you can do about it.

What is credential dumping?

A credential dumping or password dumping attack is an online attack in which a malicious actor hacks into your device and steals your credentials, typically from the device’s random access memory (RAM). Your device’s RAM stores usernames and passwords that were used by whoever logged into it (your device), typically in plain text (i.e., unencrypted). While the RAM is the most common location, attackers may harvest creds from other places on your device (more on that later). The “dumping” refers to the act of stealing and copying the credentials. Once accessed and copied, the credentials are said to have been “dumped.”

Once the bad guys have your credentials, depending on what was loaded into your device’s RAM, they can access the (potentially sensitive) information on your device. They could access your other accounts (if their credentials were in the device’s RAM). Or they could even access and potentially infect other devices on the same network, escalating their permissions by stealing more valuable account credentials (pass the hash attack). The latter could lead to the network being taken down or taken over.

Does my device really store my credentials that way?

Yep. And it’s by design. Due to usability concerns, all of your device’s processes, including your username and password, are stored in the device’s RAM for a fixed period of time. And because most operating systems don’t usually include a security layer to encrypt your device’s memory at all times, your usernames and passwords are typically stored unencrypted, in plain, human-readable text. And even if your OS did encrypt that information, it likely wouldn’t always be stored in encrypted form because the OS’s kernel will need to decrypt it to pass the information on to processes requesting that access. Any time that information is in plain text, it can be accessed, viewed, and exploited.

Not only that, but the contents of your device’s RAM can be “dumped” (copied) into a file. And that file can be transmitted over the network to another machine on the network or to a remote server controlled by the attacker. Many different types of malware do just that. So as the hypothetical malware spreads, your organization’s passwords may well be getting dumped and sent to the attacker.

How does credential dumping work?

(1) A malicious actor finds a way into your device. This could be through a zero-day vulnerability or because the machine has not applied the latest security patches. It could also be a legacy device running outdated software, etc. The point is that the attacker finds a way to break into your device.

(2) Once they’re on the inside, they search your device for stored credentials. Attackers typically deploy malware to do this for them. In a credential dumping attack, the first place the attackers (or the malware) will usually look for stored credentials will be the device’s RAM, which tends to store credentials in plain text.

However, credential dumping is more commonly used with other credential-based attacks. The “dump” is often the first step in a multi-pronged credential-based attack. For example, suppose you’re on a Windows machine. In that case, attackers could also attempt to access your device’s Security Account Manager (SAM). SAM contains a list of password hashes used to log into the device – and those password hashes could well include your IT administrator’s password if they ever logged into your machine for troubleshooting purposes, for example.

Attackers can trick your authentication mechanisms into creating a new authenticated session within the same network using password hashes. They can then move laterally throughout the network by using the hashes they have to break into other machines and steal those hashes until they get the golden key: the network administrator’s credentials. This is referred to as a pass the hash attack (PtH). Below, we will look at other credential-based attacks that are commonly deployed with credential dumping.

(3) With those valid credentials (or hashes) in hand, the attackers can create authenticated sessions in the name of whoever they stole the credentials from. This makes credential dumping attacks challenging to detect because the attackers are using valid credentials and haven’t “broken” the authentication mechanisms – they simply used the keys to the front door.

Credential dumping example


The “malware” referred to in the above example are the software tools attackers use to automate the credential dump. The most popular and widely-known credential dumping tool is Mimikatz. However, there are others, such as Chalumeau (which is based on Mimikatz).

In 2017, French developer Benjamin Delphy wrote Mimikatz – a credentials dumping tool designed to highlight flaws in how Windows handled credentials. Mimikatz successfully brought to light quite a few vulnerabilities within certain modules and processes that handle credentials in Windows, specifically, a Windows system function called WDigest.

Mimikatz was so good at breaking Windows’ credential security mechanisms, in fact, that it compelled Microsoft to fix the flaws. The tool was designed for good (make Windows safer for all), and it’s still being used today for penetration and security testing, Sadly, it has also been repurposed by malicious actors to mount credential dumping attacks.

The 2017 NotPetya attacks used some of Mimikatz’s functionality to search for clear-text passwords in WDigest.

The NotPetya attacks wreaked worldwide havoc in June of 2017. The attacks started in Ukraine, targeting the country’s financial and political institutions as well as media organizations and utility companies. Soon after, NotPetya quickly spread to the rest of the world, where similar infections were reported in France, Germany, Italy, Poland, Russia, the United Kingdom, the U.S., and Australia. NotPetya would masquerade as ransomware – and the attackers did demand a ransom – but there was no decrypting functionality whatsoever. NotPetya, as the world discovered, was designed to be destructive and cause as much damage as possible. Authorities are still investigating these attacks today.

Examples of other attacks made possible by credential dumping

Credential dumping can open the door to other credential-based attacks:

Pass the hash (PtH)

Windows’ NT LAN Manager stores hashes of the passwords used to log into the machine and access network resources. As we mentioned above, these password hashes can be used by malicious actors to create a new authenticated session in the name of the user whose hashed password was stolen. Mimikatz can automate this process.

Pass the Ticket

Kerberos is a network authentication protocol that uses tickets, ticket-granting tickets (TGTs), and service authentication tickets, allowing various nodes to communicate over a network to verify each other’s identities securely. Mimikatz can extract the TGTs and service authentication tickets from Windows’ Local Security Authority Subsystem Service (LSASS) and use them to authenticate as that user on the network. Compromised Kerberos tickets can lead to the two attacks listed below.

Kerberos Golden Ticket

Included in the Kerberos authentication protocol is a service that provides the encryption keys for Kerberos authentication, called the Key Distribution Center (KDC). It provides the encryption key derived from the user’s KRBTGT account, which encrypts and decrypts the TGTs and service tickets for that user. Mimikatz, used by a skilled attacker, could retrieve the encryption key and create a “golden ticket” with it. A “golden ticket” is a forged TGT created with the stolen KDC key. It enables the attacker to create a fake domain administrator identity, allowing them to access essentially any service on the domain.

Kerberos Silver Ticket

A Kerberos “silver ticket” is similar to the “golden ticket,” but rather than allow an attacker to create a fake identity, the silver ticket will enable the attacker to log in to user accounts and access services. Kerberos creates two kinds of tickets: TGTs and service authenticating tickets. Service authenticating tickets are used to grant users access to a subset of services over the network. A “silver ticket” is a forged service authentication ticket that attackers will use to access your network’s services while impersonating one of your users.

How to defend against credential dumping?

As is so often the case with online attacks, the way to defend against credential dumping attacks will depend on whether you’re an organization or a user. Both will be covered here.

For organizations

Bake encryption into the code

Developers should write their software to encrypt any data held in memory and code safeguards into the software that mitigate attacks on memory. They should also bake in processes that frequently clear sensitive information from the main memory.

Enable Windows Defender Credential Guard

Windows Defender Credential Guard is a security tool included in Microsoft Windows 10 and above that can mitigate pass the hash-based credential attacks. It hardens the Local Security Authority Subsystem Service (LSASS) – a Windows process that enforces the security policy on the system – by running the process within a secured sandbox using virtualization.

Disable Lan Management (LM) hashes

Windows stores passwords using an LM hash and a Windows NT hash. According to Microsoft, the LM hash is weaker than the Windows NT hash and is vulnerable to brute force attacks. You should disable LM hashes.

Limit the number of accounts with admin rights

This just makes sense for any organization. Not implementing this measure expands your attack surface needlessly. The fewer admin accounts you have, the harder it will be to pull off credential-based attacks over your network.

Use Microsoft Local Administrator Password Solutions (LAPS)

LAPS is another native Windows security tool that forces the local admin account to use a unique complex password for every computer it logs into. That makes the lateral movement in pass-the-hash attacks much more challenging to achieve for the attacker.

Limit domain admin account permissions

Make sure to limit domain administrator account permissions to domain controllers and delegate other admin functions to different accounts. That limits the value of a compromised account. Also, you want to disallow any single user from being the local administrator of multiple systems. All of the above can be achieved using access control lists (ACL).

Use a security information and event management (SIEM) system

Make sure to use a security information and event management (SIEM) system, as it will allow you to monitor authorization and access logs and detect unusual patterns of activities that could indicate a compromised account. You want breaches to be detected sooner rather than later.

Force the use of multi-factor authentication (MFA)

By setting up MFA or 2FA (multi-factor vs. two-factor), the passwords, hashes, or tickets the attacker may have gotten their hands on won’t be enough. MFA or 2FA requires something you know (your credentials) and something you have (a device that provides a one-time password (OTP)) for authentication. Without both, you won’t be allowed to log in. And because the OTP changes with every log in, MFA or 2FA can mitigate credential dumping attacks, even if the attackers manage to get to your credentials.

Implement CAPTCHAs for logins

Though a much weaker measure than MFA or 2FA, CAPTCHAs can help prevent credential stuffing attacks by significantly slowing them down. If you’re ever hit with a credential dumping attack, this can buy you some time. Just remember that CAPTCHAs are not a robust security measure. An experienced attacker can easily bypass them with the right tools. Nonetheless, CAPTCHAs will be helpful as a part of a larger security strategy.

Configure and use an AI-based Intrusion Detection System (IDS)

Detecting suspicious behavior is rather difficult for traditional IT defenses because they tend to be binary. They check the account’s permissions or an ACL and choose between two options: grant access or deny access. But there are systems available today that can identify suspicious or out-of-the-ordinary events. These systems use artificial intelligence (AI) and machine learning (ML). An AI-based IDS will “learn” (machine learning) to identify what constitutes “normal” behavior patterns over your network and turn that into a baseline for detecting outlier events. That process is typically referred to as behavioral analytics, and it may well save you from credential-based attacks (as well as many other kinds of attacks).

For users

These are common-sense tips that can protect against various online threats. So you should be following these tips even outside the context of mitigating credential dumping attacks. Nonetheless, the bulk of these measures will also help you defend against credential dumping.

  • Log out and reboot your computer – When you’re done using your machine, log out and reboot it. This clears your computer’s memory, along with any credentials or hashes that may have been stored there.
  • Use strong and complex passwords – While not a direct defense against credential dumping, strong passwords will always be your first line of defense in a credential-based attack. The more complex your passwords are, the less likely you are to fall victim to credential-based attacks.
  • Never reuse the same password for multiple accounts – If you put the same lock on every building, it only takes one key to unlock them all. The same logic applies to your online accounts. Do not reuse the same password for multiple accounts.
  • Set up Two-factor authentication (2FA) on all accounts that support it2FA makes it much more difficult for malicious actors to abuse your credentials. With 2FA, the password itself won’t be enough for authentication. That makes credential dumping attacks less likely to succeed. In regards to other online attacks, having 2FA enabled may well discourage an attacker from pursuing their attack once they see they have to deal with 2FA.
  • Use a password manager – A password manager is a small app that contains a database of all your passwords. So you can create complex passwords without having to remember them. You just need to remember the master password you set to unlock your database. Once the database is opened, you can access all of your complex passwords. Some password managers also include a password generator to generate secure passwords for you automatically. Many password managers also have autofill capabilities, so you don’t need to copy and paste them manually – particularly useful on mobile devices. However, steer clear of online password managers; the server that hosts your passwords could always be hacked. Offline password managers are safer, and there are plenty of them.
  • Don’t open attachments in emails unless you know who the sender is and you’ve confirmed with that person that they actually sent you that email. You should also make sure they’re aware the email contains an attachment and that they know what the attachment is.
  • Don’t click links (URLs) in emails unless you confirm who sent you the link and where it leads. It would also be good to contact the sender through another channel (not email) to make sure they’re not being impersonated. Once you’ve done that, you should scrutinize the link. Is it an HTTP or an HTTPS link? The great majority of legitimate websites use HTTPS today. Also, check the link for incorrect spelling (faceboook instead of facebook or goggle instead of google)? If you can get to the destination without using the link, do that instead.
  • Use a firewall – All major operating systems include a built-in incoming firewall. And all commercial routers you can buy provide a built-in NAT firewall. You want to enable both of them. You’ll thank me if you click a malicious link.
  • Use an antivirus program – Only purchase genuine and well-reviewed antivirus software from legitimate vendors. And remember to set it up for frequent scans and to keep your antivirus software and its threat database updated.
  • Keep your operating system updated – You want to be sure your machine is running with the latest OS updates. They contain the latest security patches that will fix any known vulnerabilities. Install them as soon as they’re available.
  • Never click on pop-ups. Ever. Pop-ups are just bad news – you never know where they take you.
  • Pay attention to your browser’s warning messages – Web browsers today display quite a few warnings or alerts to their users. While sometimes those warnings are triggered by false positives, you should still take those warnings seriously. So if your browser displays a security prompt about a URL you’re attempting to visit, take the warning seriously and get your information elsewhere. That’s especially true if you clicked a link you received by email or SMS – that link could send you to a malicious site. Do not disregard your computer’s warning prompts.

Wrap up

So there you have it. Credential dumping is yet another serious credential-based attack that you should keep in mind. By implementing the above measures and adding a dash of luck, you can lower the odds of falling victim to credential dumping, as well as other credential-based attacks.