Proactive credential dump hunting with SOAR

by Nick Tausek on June 5, 2019

MITRE ATT&CK™ defines credential dumping as “the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software.” The security information sharing network continues, “Credentials can be used to perform Lateral Movement and access restricted information.”

In short, when an organization is breached, bad actors seek to find and share valid credentials for employees, customers, etc. to continue to do damage.

Valid credentials are among the most sought-after, useful and traded commodities for information thieves. Billions of harvested and stolen credentials are traded on the black market every year—and many individuals and organizations don’t know their credentials are among them.

The process for discovering leaked credentials manually is time-consuming, error-prone and mind-numbing, especially once you start searching across the 12 domains in your organization, the names of your C-suite and other sensitive keywords. Making matters more complicated, you must trust Pastebin, etc. to run searches with said sensitive keywords, since you just nicely submitted them all as queries.

Let a robot do it!

While it’s not technically a robot, this is where security orchestration, automation and response (SOAR) platform like Swimlane comes in. A SOAR solution empowers you with automation (hence the robots) and can help you run valuable keyword searches automatically without requiring you to submit them to Pastebin. You can give Swimlane a set of keywords to search, set it to monitor Pastebin in real time. Now, in a matter of minutes, you are empowered to monitor for keywords without submitting them to Pastebin, you can download automatically, parse, score, and present your findings to an analyst for final maliciousness determination.

Sponsorships Available

See it in action

To test things out, I created a search term for Swimlane CEO Cody Cornell. Here’s how the use case was able to work its magic:

On May 30, 2019, two documents were put on Pastebin containing the string “Cody Cornell,” and I got an alert. By going to the “Cody Cornell” record, I can see the matching hits:

Let’s open one of them.

We can see a few things right off the bad. First, we can see some metadata about the paste and the record, including date uploaded to Pastebin, date scraped from Pastebin into Swimlane, the paste ID, reference URL, and current determination status:

The automated dump score—which tries to determine the likelihood that this is a credential dump—is low.

That’s nice, but analysts want the good stuff. Let’s look at the dump itself via the “found contexts” and “full dump” displays to get at the real tofu and potatoes:

The found contexts window shows analysts the context(s) in which the search term(s) was discovered, +/- 1024 characters from the search term location. Here we can see these are clearly some kind of user-defined parameters in Chinese. Apparently, he’s a male creature with damage to his right thigh. (I’d like to thank my Japanese tutor for the reading comprehension skills on that one).

The full dump display shows the first 100k of the paste. This often contains information such as column headers, author information, 13375p33k braggadocio, and the origin of the data. We can determine from this data that we are looking at a RimWorld video game modding log. That, combined with the apparent lack of connection to Swimlane in the context data about this other Cody, tells me that this is not a malicious paste dump. So I click “Benign” and move on.

Looks like Cody is safe for now.

Another example

To test the credential/data dump hunting use case, I dropped a group of fairly well-known Fortune 500 domains into search records. Some screenshot data has been redacted to protect the compromised.

Let’s look at a hit that came in a couple of weeks after I started searching this term:

The automated cred dump scoring script rated this to have a high cred dump likelihood, as you can see in the top right corner. Now let’s look at the “found contents” and “full dump” to confirm.

Holy credential dump, Batman! We’ve got about a bazillion and 10 email addresses and associated hashed passwords, including one matching our search term (displayed in blue in found contexts)!

Given the header and relative homogeneity of the email addresses, this definitely looks like a database dump from “gruposummus.com.br.” This means that a user used their corporate email to sign up for this website. In an alternate universe where users never recycle passwords between domains, this represents no threat to your organization. We do not live in that universe.

Now we can mark this one malicious and automatically inform the appropriate team to reset this user’s password and initiate any other necessary remediation steps!

But this is just the tip of the iceberg. For a more in-depth discussion and to see more SOAR in action, register for our “SOAR Use Case: Proactive Credential Dump Hunting” webinar.