Despite all the cybersecurity industry’s talk of preventing “breaches,” a computer network in some ways is less like a fortress and more like a human body. And skillful hackers are like germs: They tend to get in via some orifice or another. Once inside, it’s whether they can thrive and multiply their infections—and what vital organs they can reach—that determines whether the outcome is a sneeze or a full-on catastrophic takeover.
In many modern hacking operations, the difference comes down to a technique known as “credential dumping.” The term refers to any means of extracting, or “dumping,” user authentication credentials like usernames and passwords from a victim computer, so that they can be used to reenter that computer at will and reach other computers on the network. Often credential dumping pulls multiple passwords from a single machine, each of which can offer the hacker access to other computers on the network, which in turn contain their own passwords ready to be extracted, turning a single foothold into a branching series of connected intrusions. And that’s made the technique at least as crucial to hackers’ work—and as dangerous for sensitive networks—as whatever phishing email or infected attachment let hackers find entry into the network in the first place.
Credential dumping is largely possible because operating systems have long tried to spare users the inconvenience of repeatedly entering their password. Instead, after a user is prompted to enter it once, their password is stored in memory, where it can be called up by the operating system to seamlessly prove the user’s identity to other services on the network.
But the result is that once a hacker has gained the ability to run code on a victim machine, he or she can often dig up the user’s password from the computer’s memory, along with any other users’ passwords that might linger there. In other cases, the hacker can steal a file from the computer’s disk called the Security Account Manager, or SAM, which contains a list of the network’s hashed passwords. If the passwords are too simple or if the hashing is weak, they can then often be cracked one by one.
Amit Serper, a researcher for security firm Cybereason and a former Israeli intelligence hacker, compares credential dumping to a thief who sneaks through an open window, but once inside finds a spare key to the victim’s house he or she can copy—along with keys to the victim’s car and office. “You got in that one time, but if you want to come back you have to have keys to the house,” Serper says. “Once you have those keys, you can do whatever you want.”
In some cases, Serper says, he’s seen hackers mess with settings on a computer to frustrate the user until he or she calls tech support, which results in an administrator logging into their machine. The hacker can then steal that administrator’s much more valuable credentials from memory and use them to wreak havoc elsewhere on the network.
Credential dumping is so crucial to modern hacking operations, Serper says, that he finds in analyses of victim networks that it often precedes even the other basic moves hackers make after gaining access to a single computer, such as installing persistent malware that will survive if the user reboots the machine. “In every large breach you look at today, credentials are being dumped,” Serper says. “It’s the first thing that happens. They just get in, then they dump the passwords.”
By far the most common tool for credential dumping was created in 2012 by a French security researcher named Benjamin Delpy and is known as Mimikatz. Delpy, who worked for a French government agency, wrote it to improve his C++ coding skills and also as a demonstration of what he saw as a security oversight in Windows that he wanted to prove to Microsoft.
Since then, Mimikatz has become the go-to credential dumping tool for any hacker who hopes to expand access across a network. Dmitri Alperovitch, the chief technology officer of security firm Crowdstrike, calls it the “AK-47 of cybersecurity.” Some sophisticated hackers also build their own credential dumping tools. More often they modify or customize Mimikatz, which is what happened with the likely Chinese hackers revealed last month to have targeted at least 10 global phone carriers in an espionage campaign.
Aside from that sort of espionage, credential dumping has become a key tool for hackers who seek to spread their infection to an entire network with the aim of destroying or holding ransom as many computers as possible. Mimikatz, for instance, served as an ingredient in a range of paralyzing incidents, from the LockerGoga ransomware attack on aluminum firm Norsk Hydro to the NotPetya worm, a piece of destructive malware released by Russian state hackers that became the most costly cyberattack in history. “Any time we hear in the news that ransomware has taken out an entire organization, this is what happened,” says Rob Graham, the founder of Errata Security. “This is how it spread through the entire domain: It gets credentials and uses this mechanism to spread from one computer to the next.”
The danger of credential dumping, Graham warns, is that it can turn even one forgotten computer with unpatched vulnerabilities into that sort of network-wide disaster. “It’s not the systems that everyone knows about that you need to worry about, those are patched. It’s the systems you don’t know about,” he says. “A foothold on these unimportant systems can spread to the rest of your network.”
While keeping hackers from ever gaining that foothold is an impossible task, Graham says that system administrators should carefully limit the number of users with administrative privileges to prevent powerful credentials from being accessed by hackers. Administrators should be wary of logging into computers that they suspect might be compromised by hackers. And Cybereason’s Amit Serper points out that two-factor authentication can help, limiting the use of stolen passwords since anyone trying to use them would need a second authentication factor, too, like a one-time code or a Yubikey.
“Having that second factor is the best way to battle credential dumping,” Serper says. “How else can you protect yourself if someone has the master key to your house?”