Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI.
PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as The Bat!, Yahoo!, Mail.ru, Passport.Net, Google Talk, and Microsoft Outlook.
The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password.
Organizations may consider weighing the risk of storing credentials in password stores and web browsers. If system, software, or web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in improper locations.
|M1026||Privileged Account Management||
Limit the number of accounts and services with permission to query information from password stores to only those required. Ensure that accounts and services with permissions to query password stores only have access to the secrets they require.
|ID||Data Source||Data Component||Detects|
|DS0025||Cloud Service||Cloud Service Enumeration||
Monitor for API calls and CLI commands that attempt to enumerate and fetch credential material from cloud secrets managers, such as
Monitor executed commands and arguments that may search for common password storage locations to obtain user credentials.
Monitor for files being accessed that may search for common password storage locations to obtain user credentials.
|DS0009||Process||OS API Execution||
Monitor for API calls that may search for common password storage locations to obtain user credentials.
Monitor for processes being accessed that may search for common password storage locations to obtain user credentials.
Monitor newly executed processes that may search for common password storage locations to obtain user credentials.