Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).[1]
| ID | Name | Description |
|---|---|---|
| S0373 | Astaroth |
Astaroth uses an external software known as NetPass to recover passwords. [2] |
| S1111 | DarkGate |
DarkGate uses NirSoft tools to steal user credentials from the infected machine.[3] NirSoft tools are executed via process hollowing in a newly-created instance of vbc.exe or regasm.exe. |
| S1091 | Pacu |
Pacu can search for sensitive data: for example, in Code Build environment variables, EC2 user data, and Cloud Formation templates.[4] |
| ID | Mitigation | Description |
|---|---|---|
| M1015 | Active Directory Configuration |
Remove vulnerable Group Policy Preferences.[5] |
| M1047 | Audit |
Preemptively search for files containing passwords or other credentials and take actions to reduce the exposure risk when found. |
| M1041 | Encrypt Sensitive Information |
When possible, store keys on separate cryptographic hardware instead of on the local system. |
| M1037 | Filter Network Traffic |
Limit access to the Instance Metadata API. A properly configured Web Application Firewall (WAF) may help prevent external adversaries from exploiting Server-side Request Forgery (SSRF) attacks that allow access to the Cloud Instance Metadata API.[6] |
| M1035 | Limit Access to Resource Over Network |
Limit network access to sensitive services, such as the Instance Metadata API. |
| M1028 | Operating System Configuration |
There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands: |
| M1027 | Password Policies |
Use strong passphrases for private keys to make cracking difficult. Do not store credentials within the Registry. Establish an organizational policy that prohibits password storage in files. |
| M1026 | Privileged Account Management |
If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary. |
| M1022 | Restrict File and Directory Permissions |
Restrict file shares to specific directories with access only to necessary users. |
| M1051 | Update Software |
Apply patch KB2962486 which prevents credentials from being stored in GPPs.[7][8] |
| M1017 | User Training |
Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content |
Monitor application logs for activity that may highlight malicious attempts to access application data, especially abnormal search activity targeting passwords and other artifacts related to credentials.[9] |
| DS0017 | Command | Command Execution |
While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information. |
| DS0022 | File | File Access |
Monitor for suspicious file access activity, specifically indications that a process is reading multiple files in a short amount of time and/or using command-line arguments indicative of searching for credential material (ex: regex patterns). These may be indicators of automated/scripted credential access behavior. Monitoring when the user's |
| DS0009 | Process | Process Creation |
Monitor newly executed processes that may search compromised systems to find and obtain insecurely stored credentials. |
| DS0002 | User Account | User Account Authentication |
Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may search compromised systems to find and obtain insecurely stored credentials. |
| DS0024 | Windows Registry | Windows Registry Key Access |
Monitor for unexpected windows registry key being accessed that may search compromised systems to find and obtain insecurely stored credentials. |