There is a Windows tool called PwDump7 that is used for dumping system passwords. PwDump runs by extracting SAM and SYSTEM File from the Filesystem and then extracting the hashes. A malicious attacker can use this tool to extract credentials from the victim system.
- The attacker gains a foothold on the server via an exploitation method.
- The attacker uses PwDump on the server to extract credentials.
PwDump7 can be used as a post-compromise tool; the attacker must have access to the system. Access can be local or remote. To acquire remote access, the attacker may need to exploit a vulnerability in the system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
Detection of this threat is provided via the Alert Logic ActiveWatch for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.
Recommendations for Mitigation
The attacker must have exploited some other entry vector to gain access to the local victim host. Ensure that all software on internet-facing hosts is up-to-date.