ID | Name |
---|---|
T1552.001 | Credentials In Files |
T1552.002 | Credentials in Registry |
T1552.003 | Bash History |
T1552.004 | Private Keys |
T1552.005 | Cloud Instance Metadata API |
T1552.006 | Group Policy Preferences |
T1552.007 | Container API |
T1552.008 | Chat Messages |
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
It is possible to extract passwords from backups or saved virtual machines through OS Credential Dumping.[1] Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.[2]
In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.[3] They may also be found as parameters to deployment commands in container logs.[4] In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.[5]
ID | Name | Description |
---|---|---|
S0677 | AADInternals |
AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine.[6] |
S0331 | Agent Tesla |
Agent Tesla has the ability to extract credentials from configuration or support files.[7] |
G0022 | APT3 |
APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.[8] |
G0064 | APT33 |
APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[9][10] |
S0344 | Azorult |
Azorult can steal credentials in files belonging to common software such as Skype, Telegram, and Steam.[11] |
S0089 | BlackEnergy |
BlackEnergy has used a plug-in to gather credentials stored in files on the host by various software programs, including The Bat! email client, Outlook, and Windows Credential Store.[12][13] |
S0367 | Emotet |
Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user. [14][15] |
S0363 | Empire |
Empire can use various modules to search for files containing passwords.[16] |
G1016 | FIN13 |
FIN13 has obtained administrative credentials by browsing through local files on a compromised machine.[17] |
G0117 | Fox Kitten |
Fox Kitten has accessed files to gain valid credentials.[18] |
S0601 | Hildegard |
Hildegard has searched for SSH keys, Docker credentials, and Kubernetes service tokens.[3] |
S0283 | jRAT |
jRAT can capture passwords from common chat applications such as MSN Messenger, AOL, Instant Messenger, and and Google Talk.[19] |
G0094 | Kimsuky |
Kimsuky has used tools that are capable of obtaining credentials from saved mail.[20] |
S0349 | LaZagne |
LaZagne can obtain credentials from chats, databases, mail, and WiFi.[21] |
G0077 | Leafminer |
Leafminer used several tools for retrieving login and password information, including LaZagne.[22] |
G0069 | MuddyWater |
MuddyWater has run a tool that steals passwords saved in victim email.[23] |
G0049 | OilRig |
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[24][25][26][27] |
S0067 | pngdowner |
If an initial connectivity check fails, pngdowner attempts to extract proxy details and credentials from Windows Protected Storage and from the IE Credentials Store. This allows the adversary to use the proxy credentials for subsequent requests if they enable outbound HTTP access.[28] |
S0378 | PoshC2 |
PoshC2 contains modules for searching for passwords in local and remote files.[29] |
S0192 | Pupy | |
S0583 | Pysa |
Pysa has extracted credentials from the password database before encrypting the files.[31] |
S0262 | QuasarRAT | |
G1015 | Scattered Spider |
Scattered Spider Spider searches for credential storage documentation on a compromised host.[34] |
S0226 | Smoke Loader |
Smoke Loader searches for files named logins.json to parse for credentials.[35] |
G0092 | TA505 |
TA505 has used malware to gather credentials from FTP clients and Outlook.[36] |
G0139 | TeamTNT |
TeamTNT has searched for unsecured AWS credentials and Docker API credentials.[37][38][39] |
S0266 | TrickBot |
TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP.[40][41] Additionally, it searches for the ".vnc.lnk" affix to steal VNC credentials.[42] |
S0117 | XTunnel |
XTunnel is capable of accessing locally stored passwords on victims.[43] |
ID | Mitigation | Description |
---|---|---|
M1047 | Audit |
Preemptively search for files containing passwords and take actions to reduce the exposure risk when found. |
M1027 | Password Policies |
Establish an organizational policy that prohibits password storage in files. |
M1022 | Restrict File and Directory Permissions |
Restrict file shares to specific directories with access only to necessary users. |
M1017 | User Training |
Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor executed commands and arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information. |
DS0022 | File | File Access |
Monitor for files being accessed that may search local file systems and remote file shares for files containing insecurely stored credentials. While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. |
DS0009 | Process | Process Creation |
Monitor newly executed processes for local file systems and remote file shares for files containing insecurely stored credentials. Note: Pseudocode Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for command-line instances of searching the Windows Registry for insecurely stored credentials. This can be accomplished using the query functionality of the Reg system utility, by looking for keys and values that contain strings such as "password". In addition, adversaries may use toolkits such as PowerSploit in order to dump credentials from various applications such as IIS. Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several PowerSploit modules with similar functionality. Analytic 1 - Credentials in Files & Registry
|