Credentials in Files

Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

It is possible to extract passwords from backups or saved virtual machines through Credential Dumping. [1] Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. [2]

ID: T1081

Tactic: Credential Access

Platform:  Linux, macOS, Windows

System Requirements:  Access to files

Permissions Required:  User, Administrator, SYSTEM

Data Sources:  File monitoring, Process command-line parameters

CAPEC ID:  CAPEC-545

Version: 1.0

Examples

NameDescription
APT3

APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.[3]

Azorult

Azorult can steal credentials from the victim's browser.[4]

BlackEnergy

BlackEnergy has used a plug-in to gather credentials stored in files on the host by various software programs, including The Bat! email client, Mozilla password manager, Google Chrome password manager, Outlook, Internet Explorer, and Windows Credential Store.[5][6]

Emotet

Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user.[7][8]

Empire

Empire can use various modules to search for files containing passwords, including those associated with web browsers such as Firefox and Chrome.[9]

jRAT

jRAT can capture passwords from various browsers and applications.[10]

KONNI

KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.[11]

LaZagne

LaZagne can obtain credentials from browsers, chats, databases, mail, and WiFi.[12]

Mimikatz

Mimikatz's DPAPI module can harvest protected credentials stored and/or cached by browsers and other user applications by interacting with Windows cryptographic application programming interface (API) functions.[13][14]

MuddyWater

MuddyWater has run a tool that steals passwords saved in victim web browsers and email.[15]

Olympic Destroyer

Olympic Destroyer contains a module that tries to obtain stored credentials from web browsers.[16]

pngdowner

If an initial connectivity check fails, pngdowner attempts to extract proxy details and credentials from Windows Protected Storage and from the IE Credentials Store. This allows the adversary to use the proxy credentials for subsequent requests if they enable outbound HTTP access.[17]

PoshC2

PoshC2 contains modules for searching for passwords in local and remote files.[18]

Prikormka

A module in Prikormka gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers.[19]

Proton

Proton gathers credentials in files for chrome, 1password, and keychains.[20]

QuasarRAT

QuasarRAT can obtain passwords from common browsers and FTP clients.[21][22]

Smoke Loader

Smoke Loader searches for files named logins.json to parse for credentials and also looks for credentials stored from browsers.[23]

Stolen Pencil

Stolen Pencil has used tools that are capable of obtaining credentials from saved mail and browser passwords.[24]

TrickBot

TrickBot can obtain passwords stored in files from several applications and browsers, such as Outlook, Filezilla, WinSCP, Chrome, Firefox, Internet Explorer, and Microsoft Edge. Additionally, it searches for the ".vnc.lnk" affix to steal VNC credentials.[25][26]

XAgentOSX

XAgentOSX contains the getFirefoxPassword function to attempt to locate Firefox passwords.[27]

XTunnel

XTunnel is capable of accessing locally stored passwords on victims.[28]

Mitigation

Establish an organizational policy that prohibits password storage in files. Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. Preemptively search for files containing passwords and remove when found. Restrict file shares to specific directories with access only to necessary users. Remove vulnerable Group Policy Preferences. [29]

Detection

While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information.

References

  1. CG. (2014, May 20). Mimikatz Against Virtual Machine Memory Part 1. Retrieved November 12, 2014.
  2. Security Research and Defense. (2014, May 13). MS14-025: An Update for Group Policy Preferences. Retrieved January 28, 2015.
  3. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  4. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  5. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  6. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  7. US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.
  8. CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019.
  9. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  10. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  11. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  12. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
  13. Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.
  14. Grafnetter, M. (2015, October 26). Retrieving DPAPI Backup Keys from Active Directory. Retrieved December 19, 2017.
  15. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  1. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
  2. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  3. Nettitude. (2016, June 8). PoshC2: Powershell C2 Server and Implants. Retrieved April 23, 2019.
  4. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  5. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  6. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  7. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  8. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
  9. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  10. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  11. Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.
  12. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  13. Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016.
  14. Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved January 28, 2015.