CrowdStrike Alert Details
Alert ID: CS-SAM-DUMP-1003-7842 Alert Time: 2024-03-11 09:30:15 EST Severity: CRITICAL (98/100) Source: CrowdStrike Falcon EDR Rule: “SAM Registry Hive Access – Potential Credential Dumping” MITRE ATT&CK: T1003.002 – OS Credential Dumping: Security Account Manager
Alert Details:
Detection: Process accessing SAM (Security Account Manager) registry hive
Host: DC-01 (Domain Controller) User: SYSTEM (via compromised admin) Process: C:\Windows\Temp\sam_dump.exe (PID: 4789) SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4 Time: 09:25 EST
Registry Access Events:
09:25:10 – RegOpenKeyEx (HKLM\SAM) – SUCCESS
09:25:12 – RegOpenKeyEx (HKLM\SAM\SAM) – SUCCESS
09:25:15 – RegOpenKeyEx (HKLM\SAM\SAM\Domains) – SUCCESS
09:25:18 – RegOpenKeyEx (HKLM\SAM\SAM\Domains\Account) – SUCCESS
09:25:21 – RegOpenKeyEx (HKLM\SAM\SAM\Domains\Account\Users) – SUCCESS
09:25:24 – RegQueryValueEx (Names) – SUCCESS
09:25:27 – RegQueryValueEx (F) – SUCCESS (user hashes)
09:25:30 – RegQueryValueEx (V) – SUCCESS (user hashes)
Files Created:
C:\Windows\Temp\sam.hive (3.5 MB) – SAM hive extracted
C:\Windows\Temp\system.hive (12 MB) – SYSTEM hive (for boot key)
C:\Windows\Temp\hashes.txt (extracted hashes)
Detection Logic:
Process accessing SAM registry hive (highly privileged, normally SYSTEM only)
SAM hive contains NTLM hashes of all local users (on DC, all domain users)
Multiple registry queries for user hash data
Files created to store extracted data
Pattern matches credential dumping (samdump2, Mimikatz, etc.)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed SAM registry access and dumping
2. File Analysis
Analyze sam_dump.exe
CrowdStrike Sandbox
Credential dumping tool (secretsdump variant)
3. Process Investigation
Identify source
CrowdStrike
PsExec from compromised admin workstation
4. Immediate Action
Terminate process, delete dump files
CrowdStrike
Process killed; sam.hive, system.hive, hashes.txt deleted
5. Account Remediation
Disable compromised admin account
Azure AD, AD
Admin account disabled; password reset
6. Enterprise Response
Force password reset for all users
Azure AD, AD
All domain passwords reset
Jira Incident Report
Ticket: SOC-2024-201 Summary: T1003.002 – SAM Hive Dumped on Domain Controller (All Domain Hashes Compromised) Status: RESOLVED Resolution: MALICIOUS – Hashes Exfiltrated, All Passwords Reset Priority: P1 – CRITICAL Labels: T1003, sam-dump, credential-dumping, domain-controller, compromised-admin Components: Endpoint-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “SAM Registry Hive Access – Potential Credential Dumping”.
Host: DC-01 (Primary Domain Controller).
Process: C:\Windows\Temp\sam_dump.exe.
Data: SAM and SYSTEM hives dumped; all domain user hashes extracted.
Time: 2024-03-11 09:30 EST.
Technique: MITRE ATT&CK T1003.002 – OS Credential Dumping: Security Account Manager.
2. Technical Analysis:
Attack Chain:
08:30 – Domain admin account (jsmith) compromised via phishing
08:45 – Attacker logs into admin workstation via RDP
09:00 – Attacker uses PsExec to copy sam_dump.exe to DC-01
09:10 – sam_dump.exe executed with SYSTEM privileges
09:15-09:25 – SAM and SYSTEM hives extracted
09:25 – Hashes extracted to hashes.txt
09:25 – CrowdStrike detects
Data Compromised:
SAM hive: Contains NTLM hashes for all 3,247 domain users
SYSTEM hive: Contains boot key needed to decrypt SAM hashes
hashes.txt: Extracted NTLM hashes (ready for offline cracking)
Dumping Tool:
Name: sam_dump.exe (variant of secretsdump.py)
Method: Direct registry access (not LSASS)
Output: sam.hive, system.hive, hashes.txt
Impact:
All domain user NTLM hashes compromised
Attacker can crack weak passwords offline
Golden ticket attack possible (if krbtgt hash obtained)
Full domain compromise
3. Investigation Findings:
Timeline:
08:30 – Admin account compromised
08:45 – Attacker logs in
09:00 – Tool deployed
09:10-09:25 – Dumping
09:25 – Alert
09:27 – SOC investigates
09:28 – Process terminated
09:29 – Dump files deleted
09:30 – Admin account disabled
10:00 – Enterprise password reset begins
Indicators of Compromise (IoCs):
Files:
– C:\Windows\Temp\sam_dump.exe (SHA256: a1b2c3d4…)
– C:\Windows\Temp\sam.hive (3.5 MB, deleted)
– C:\Windows\Temp\system.hive (12 MB, deleted)
– C:\Windows\Temp\hashes.txt (extracted hashes, deleted)
Registry:
– Access to HKLM\SAM\SAM\Domains\Account\Users
Account:
– jsmith (compromised domain admin)
4. Containment Actions:
Immediate Actions:
Terminated sam_dump.exe.
Deleted all dump files.
Isolated DC-01 temporarily.
Disabled compromised admin account.
Reset password.
Enterprise Remediation:
Forced password reset for ALL domain users (3,247).
Reset krbtgt password (twice) to invalidate all Kerberos tickets.
Reset all service account passwords.
Enforced MFA for all users.
Host Remediation:
Reimaged DC-01 from clean backup.
5. Root Cause Analysis:
Primary Cause: Domain admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin had access to DC.
SAM registry accessible (no additional protections).
6. Business Impact:
Operational Impact: All users required password reset; DC offline for 2 hours.
Data Exposure: All domain hashes compromised; passwords must be reset.
Regulatory Impact: Potential breach notification if passwords cracked.
7. Remediation & Prevention:
Completed Actions:
Dumping stopped.
Dump files deleted.
All passwords reset.
Admin account secured.
Technical Controls Enhanced:
Enforced MFA for all admins.
Moved admin access behind VPN only.
Implemented Credential Guard.
Disabled NTLM where possible.
Enhanced monitoring for SAM registry access.
8. Conclusion:
An attacker compromised a domain admin account and dumped the SAM hive from the domain controller, obtaining NTLM hashes for all 3,247 domain users. CrowdStrike detected the anomalous registry access, enabling rapid deletion of the dump files and an enterprise-wide password reset.
Closure Rationale: Hashes dumped but deleted; all passwords reset; admin account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-11 10:30 EST