Unsecured Credentials

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).

ID: T1552
Platforms: Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Permissions Required: Administrator, SYSTEM, User
Data Sources: Command: Command Execution, File: File Access, Process: Process Creation, User Account: User Account Authentication, Windows Registry: Windows Registry Key Access
Version: 1.2
Created: 04 February 2020
Last Modified: 12 April 2021

Procedure Examples

ID Name Description
S0373 Astaroth

Astaroth uses an external software known as NetPass to recover passwords. [1]

Mitigations

ID Mitigation Description
M1015 Active Directory Configuration

Remove vulnerable Group Policy Preferences.[2]

M1047 Audit

Preemptively search for files containing passwords or other credentials and take actions to reduce the exposure risk when found.

M1041 Encrypt Sensitive Information

When possible, store keys on separate cryptographic hardware instead of on the local system.

M1037 Filter Network Traffic

Limit access to the Instance Metadata API using a host-based firewall such as iptables. A properly configured Web Application Firewall (WAF) may help prevent external adversaries from exploiting Server-side Request Forgery (SSRF) attacks that allow access to the Cloud Instance Metadata API.[3]

M1028 Operating System Configuration

There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands:set +o history and set -o history to start logging again;unset HISTFILE being added to a user's .bash_rc file; andln -s /dev/null ~/.bash_history to write commands to /dev/nullinstead.

M1027 Password Policies

Use strong passphrases for private keys to make cracking difficult. Do not store credentials within the Registry. Establish an organizational policy that prohibits password storage in files.

M1026 Privileged Account Management

If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary.

M1022 Restrict File and Directory Permissions

Restrict file shares to specific directories with access only to necessary users.

M1051 Update Software

Apply patch KB2962486 which prevents credentials from being stored in GPPs.[4][5]

M1017 User Training

Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.

Detection

While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information.

Monitor for suspicious file access activity, specifically indications that a process is reading multiple files in a short amount of time and/or using command-line arguments indicative of searching for credential material (ex: regex patterns). These may be indicators of automated/scripted credential access behavior.

Monitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like cat ~/.bash_history.

Additionally, monitor processes for applications that can be used to query the Registry, such as Reg, and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.

References