Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Credentials in Files

Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

It is possible to extract passwords from backups or saved virtual machines through Credential Dumping. [1] Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. [2]

ID: T1081

Tactic: Credential Access

Platform:  Linux, macOS, Windows

Permissions Required:  User, Administrator, SYSTEM

Data Sources:  File monitoring, Process command-line parameters

CAPEC ID:  CAPEC-545

Version: 1.0

Examples

NameDescription
APT3

APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.[3]

BlackEnergy

BlackEnergy has used a plug-in to gather credentials stored in files on the host by various software programs, including The Bat! email client, Mozilla password manager, Google Chrome password manager, Outlook, Internet Explorer, and Windows Credential Store.[4][5]

Mimikatz

Mimikatz's DPAPI module can harvest protected credentials stored and/or cached by browsers and other user applications by interacting with Windows cryptographic application programming interface (API) functions.[6][7]

pngdowner

If an initial connectivity check fails, pngdowner attempts to extract proxy details and credentials from Windows Protected Storage and from the IE Credentials Store. This allows the adversary to use the proxy credentials for subsequent requests if they enable outbound HTTP access.[8]

Prikormka

A module in Prikormka gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers.[9]

Proton

Proton gathers credentials in files for chrome, 1password, and keychains.[10]

QuasarRAT

QuasarRAT can obtain passwords from common browsers and FTP clients.[11][12]

Smoke Loader

Smoke Loader searches for files named logins.json to parse for credentials and also looks for credentials stored from browsers.[13]

XAgentOSX

XAgentOSX contains the getFirefoxPassword function to attempt to locate Firefox passwords.[14]

XTunnel

XTunnel is capable of accessing locally stored passwords on victims.[15]

Mitigation

Establish an organizational policy that prohibits password storage in files. Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. Preemptively search for files containing passwords and remove when found. Restrict file shares to specific directories with access only to necessary users. Remove vulnerable Group Policy Preferences. [16]

Detection

While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information.

References