Unsecured Credentials: Chat Messages

Other sub-techniques of Unsecured Credentials (8)

ID	Name
T1552.001	Credentials In Files
T1552.002	Credentials in Registry
T1552.003	Bash History
T1552.004	Private Keys
T1552.005	Cloud Instance Metadata API
T1552.006	Group Policy Preferences
T1552.007	Container API
T1552.008	Chat Messages

Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.

Rather than accessing the stored chat logs (i.e., Credentials In Files), adversaries may directly access credentials within these services on the user endpoint, through servers hosting the services, or through administrator portals for cloud hosted services. Adversaries may also compromise integration tools like Slack Workflows to automatically search through messages to extract user credentials. These credentials may then be abused to perform follow-on activities such as lateral movement or privilege escalation ^[1].

ID: T1552.008

Sub-technique of: T1552

ⓘ

Tactic: Credential Access

ⓘ

Platforms: Office Suite, SaaS

Contributors: Douglas Weir

Version: 1.1

Created: 14 March 2023

Last Modified: 14 October 2024

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
G1004	LAPSUS$	LAPSUS$ has targeted various collaboration tools like Slack, Teams, JIRA, Confluence, and others to hunt for exposed credentials to support privilege escalation and lateral movement.^[2]

Mitigations

ID	Mitigation	Description
M1047	Audit	Preemptively search through communication services to find shared unsecured credentials. Searching for common patterns like "`password is` ", "`password=`" and take actions to reduce exposure when found.
M1017	User Training	Ensure that developers and system administrators are aware of the risk associated with sharing unsecured passwords across communication services.

Detection

ID Data Source Data Component Detects

ID	Data Source	Data Component	Detects
DS0015	Application Log	Application Log Content	Monitor application logs for activity that may highlight malicious attempts to access application data, especially abnormal search activity targeting passwords and other artifacts related to credentials.^[3] Analytic 1 - Abnormal search activity targeting passwords and other credential artifacts. `index=security sourcetype IN ("gsuite:activity", "o365:audit", "slack:events", "teams:events") (action IN ("message_send", "file_upload") AND (message_content="password" OR message_content="token" OR message_content="apikey" OR message_content="credentials" OR message_content="login" OR file_name="password" OR file_name="token" OR file_name="apikey" OR file_name="credentials"))`

DS0015

Application Log

Application Log Content

Monitor application logs for activity that may highlight malicious attempts to access application data, especially abnormal search activity targeting passwords and other artifacts related to credentials.^[3]

Analytic 1 - Abnormal search activity targeting passwords and other credential artifacts.

index=security sourcetype IN ("gsuite:activity", "o365:audit", "slack:events", "teams:events") (action IN ("message_send", "file_upload") AND (message_content="password" OR message_content="token" OR message_content="apikey" OR message_content="credentials" OR message_content="login" OR file_name="password" OR file_name="token" OR file_name="apikey" OR file_name="credentials"))

References

Slack Help Center. (n.d.). View Access Logs for your workspace. Retrieved April 10, 2023.