_credential-tools - RunkIntel

# Credential Tools > Ferramentas especializadas em acesso e roubo de credenciais - desde dumps de memoria (LSASS) e SAM, até ataques Kerberos (pass-the-hash, pass-the-ticket, Kerberoasting). Amplamente documentadas no MITRE ATT&CK sob a tática **Credential Access (TA0006)**. ```mermaid graph TB subgraph FONTES["🗄️ Fontes de Credenciais"] LSASS["LSASS Process Hashes NTLM, Kerberos TGT"] SAM["SAM / Registry Contas locais Windows"] KRB["Kerberos / AD Tickets, SPN hashes"] MEM["Memoria / Cache Credenciais em texto claro"] end subgraph TOOLS["🔑 Ferramentas"] MIM["Mimikatz LSASS dump, PTH, PTT"] RUB["Rubeus Kerberoasting, AS-REP"] LAZ["LaZagne Multi-source, browsers"] DUMP["gsecdump / pwdump fgdump, cachedump"] WCE["Windows Credential Editor Pass-the-Hash"] PTH["Pass-the-Hash Toolkit Lateral movement"] end subgraph IMPACTO["💥 Impacto"] LM["Lateral Movement PsExec, WMI, SMB"] ESC["Privilege Escalation Golden/Silver Ticket"] PER["Persistencia DCSync, skeleton key"] end FONTES --> TOOLS TOOLS --> IMPACTO style FONTES fill:#1a1a2e,color:#fff style TOOLS fill:#16213e,color:#fff style IMPACTO fill:#0f3460,color:#fff style MIM fill:#e74c3c,color:#fff style RUB fill:#c0392b,color:#fff style LAZ fill:#922b21,color:#fff style DUMP fill:#641e16,color:#fff style WCE fill:#7b241c,color:#fff style PTH fill:#4a235a,color:#fff ``` > [!danger] Técnicas de Alto Impacto > Ferramentas de credential access frequentemente resultam em **comprometimento total do dominio** quando combinadas com erros de higiene de credenciais. Priorize detecção de dumps LSASS e Kerberoasting. ## TTPs Associados - **[[t1003-os-credential-dumping|T1003]]** - OS Credential Dumping (LSASS, SAM, NTDS) - **[[t1558-steal-or-forge-kerberos-tickets|T1558]]** - Kerberoasting, AS-REP Roasting - **[[t1550-use-alternate-authentication-material|T1550]]** - Pass-the-Hash, Pass-the-Ticket - **[[t1555-credentials-from-password-stores|T1555]]** - Credenciais de password stores Mitigacoes relevantes: - **[[_mitigations|Hub de Mitigacoes]]** - controles M-series aplicaveis - **[[_defenses|Hub Defensivo]]** - deteccoes e playbooks ## Catalogo %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Ferramenta", aliases AS "Aliases", status AS "Status" FROM "cti/software/tools/credential-tools" WHERE type = "malware" OR type = "tool" SORT title ASC ``` %%   | Ferramenta | Aliases | Status | | ----------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- | ------ | | [[s0119-cachedump\|Cachedump]] | <ul><li>Cachedump</li></ul> | active | | [[s0120-fgdump\|Fgdump]] | <ul><li>Fgdump</li></ul> | active | | [[s0008-gsecdump\|gsecdump]] | <ul><li>gsecdump</li></ul> | active | | [[cti/software/tools/credential-tools/s0349-lazagne.md\|LaZagne]] | <ul><li>LaZagne</li></ul> | active | | [[s0121-lslsass\|Lslsass]] | <ul><li>Lslsass</li></ul> | active | | [[cti/software/tools/credential-tools/mimikatz.md\|Mimikatz]] | <ul><li>Mimikatz</li><li>gentilkiwi</li></ul> | active | | [[s0002-mimikatz\|Mimikatz]] | <ul><li>Mimikatz</li><li>mimikatz.exe</li><li>sekurlsa</li></ul> | active | | [[s0179-mimipenguin\|MimiPenguin]] | <ul><li>MimiPenguin</li></ul> | active | | [[s1131-nppspy\|NPPSPY]] | <ul><li>NPPSPY</li></ul> | active | | [[s0122-pass-the-hash-toolkit\|Pass-The-Hash Toolkit]] | <ul><li>Pass-The-Hash Toolkit</li></ul> | active | | [[s0006-pwdump\|pwdump]] | <ul><li>pwdump</li></ul> | active | | [[s1071-rubeus\|Rubeus]] | <ul><li>Rubeus</li></ul> | active | | [[s0005-windows-credential-editor\|Windows Credential Editor]] | <ul><li>Windows Credential Editor</li><li>WCE</li></ul> | active |  ## Navegacao - [[_tools|Tools Hub]] - visao geral de todas as ferramentas - [[_software|Software Hub]] - malware + tools - [[_cti|CTI Hub]] - hub central de inteligência