Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Shell History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).[1]
| ID | Name | Description |
|---|---|---|
| S0373 | Astaroth |
Astaroth uses an external software known as NetPass to recover passwords. [2] |
| S1111 | DarkGate |
DarkGate uses NirSoft tools to steal user credentials from the infected machine.[3] NirSoft tools are executed via process hollowing in a newly-created instance of vbc.exe or regasm.exe. |
| C0049 | Leviathan Australian Intrusions |
Leviathan gathered credentials hardcoded in binaries located on victim devices during Leviathan Australian Intrusions.[4] |
| S1131 | NPPSPY |
NPPSPY captures credentials by recording them through an alternative network listener registered to the |
| S1091 | Pacu |
Pacu can search for sensitive data: for example, in Code Build environment variables, EC2 user data, and Cloud Formation templates.[6] |
| G1017 | Volt Typhoon |
Volt Typhoon has obtained credentials insecurely stored on targeted network appliances.[7] |
| ID | Mitigation | Description |
|---|---|---|
| M1015 | Active Directory Configuration |
Remove vulnerable Group Policy Preferences.[8] |
| M1047 | Audit |
Preemptively search for files containing passwords or other credentials and take actions to reduce the exposure risk when found. |
| M1041 | Encrypt Sensitive Information |
When possible, store keys on separate cryptographic hardware instead of on the local system. |
| M1037 | Filter Network Traffic |
Limit access to the Instance Metadata API. A properly configured Web Application Firewall (WAF) may help prevent external adversaries from exploiting Server-side Request Forgery (SSRF) attacks that allow access to the Cloud Instance Metadata API.[9] |
| M1035 | Limit Access to Resource Over Network |
Limit network access to sensitive services, such as the Instance Metadata API. |
| M1028 | Operating System Configuration |
There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands: |
| M1027 | Password Policies |
Use strong passphrases for private keys to make cracking difficult. Do not store credentials within the Registry. Establish an organizational policy that prohibits password storage in files. |
| M1026 | Privileged Account Management |
If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary. |
| M1022 | Restrict File and Directory Permissions |
Restrict file shares to specific directories with access only to necessary users. |
| M1051 | Update Software |
Apply patch KB2962486 which prevents credentials from being stored in GPPs.[10][11] |
| M1017 | User Training |
Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0412 | Detect Access or Search for Unsecured Credentials Across Platforms | AN1153 |
Unusual access to bash history, registry credentials paths, or private key files by unauthorized or scripting tools, with correlated file and process activity. |
| AN1154 |
Reading of sensitive files like .bash_history, /etc/shadow, or private key directories by unauthorized users or unusual processes. |
||
| AN1155 |
Unusual access to ~/Library/Keychains, ~/.bash_history, or Terminal command history by unauthorized processes or users. |
||
| AN1156 |
Unusual web-based access or API scraping of password managers, single sign-on sessions, or credential sync services via browser automation or anomalous API tokens. |
||
| AN1157 |
Unauthorized API or console calls to retrieve or reset password credentials, download key material, or modify SSO settings. |
||
| AN1158 |
Access to container image layers or mounted secrets (e.g., Docker secrets) by processes not tied to entrypoint or orchestration context. |
||
| AN1159 |
Use of configuration backup utilities or CLI access to dump plaintext passwords, local user hashes, or SNMP strings. |