Technique on mitre.org

T1552: Unsecured Credentials

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

clickhouse: PT-CR-1572: ClickHouse_Disable_User_Password: An attempt to disable a user account password is detected clickhouse: PT-CR-1582: ClickHouse_Modify_Password_To_Plaintext: An attempt to change the password of a user to an unencrypted password is detected clickhouse: PT-CR-1581: ClickHouse_Create_User_Without_Password: An attempt to create a user without a password is detected clickhouse: PT-CR-1574: ClickHouse_Create_User_With_Plaintext_Password: An attempt to create a user with an unencrypted password is detected mitre_attck_cred_access: PT-CR-299: LAPS_Enumeration: Search for users, groups, and computers with access to Microsoft LAPS (Local Administrator Password Solution). LAPS automatically manages the local administrator account password and backs up this password on devices connected to Active Directory services. mitre_attck_cred_access: PT-CR-911: Svchost_Memory_Dump: An svchost dump is generated mitre_attck_cred_access: PT-CR-768: Intercept_Creds_From_MSTSC: Unloading of credentials used in mstsc.exe during an RDP connection is detected mitre_attck_cred_access: PT-CR-898: Access_To_Files_Containing_Passwords: Access to files that can contain credentials indeed_pam: PT-CR-2888: Indeed_Credentials_Check_After_Policy_Change: User or application credentials were viewed after a policy parameter was changed in the Indeed PAM application enterprise_1c_and_bitrix: PT-CR-673: Enterprise_1C_Disable_User_Password_In_Authentication: A user password in a 1C system was disabled enterprise_1c_and_bitrix: PT-CR-672: Enterprise_1C_Create_User_Without_Password: A user account without a password was created

Subtechniques

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information.

ID	DS0002	Data source and component	User Account: User Account Authentication	Description	Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may search compromised systems to find and obtain insecurely stored credentials.

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Access	Description	Monitor for unexpected windows registry key being accessed that may search compromised systems to find and obtain insecurely stored credentials.

ID	DS0015	Data source and component	Application Log: Application Log Content	Description	Monitor application logs for activity that may highlight malicious attempts to access application data, especially abnormal search activity targeting passwords and other artifacts related to credentials.

ID	DS0022	Data source and component	File: File Access	Description	Monitor for suspicious file access activity, specifically indications that a process is reading multiple files in a short amount of time and/or using command-line arguments indicative of searching for credential material (ex: regex patterns). These may be indicators of automated/scripted credential access behavior. Monitoring when the user's `.bash_history` is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like `cat ~/.bash_history`.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor newly executed processes that may search compromised systems to find and obtain insecurely stored credentials.

ID	Data source and component	Description
DS0017	Command: Command Execution	While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information.
DS0002	User Account: User Account Authentication	Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may search compromised systems to find and obtain insecurely stored credentials.
DS0024	Windows Registry: Windows Registry Key Access	Monitor for unexpected windows registry key being accessed that may search compromised systems to find and obtain insecurely stored credentials.
DS0015	Application Log: Application Log Content	Monitor application logs for activity that may highlight malicious attempts to access application data, especially abnormal search activity targeting passwords and other artifacts related to credentials.
DS0022	File: File Access	Monitor for suspicious file access activity, specifically indications that a process is reading multiple files in a short amount of time and/or using command-line arguments indicative of searching for credential material (ex: regex patterns). These may be indicators of automated/scripted credential access behavior. Monitoring when the user's `.bash_history` is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like `cat ~/.bash_history`.
DS0009	Process: Process Creation	Monitor newly executed processes that may search compromised systems to find and obtain insecurely stored credentials.

Mitigation

ID	M1015	Name	Active Directory Configuration	Description	Remove vulnerable Group Policy Preferences.

ID	M1017	Name	User Training	Description	Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.

ID	M1022	Name	Restrict File and Directory Permissions	Description	Restrict file shares to specific directories with access only to necessary users.

ID	M1026	Name	Privileged Account Management	Description	If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary.

ID	M1027	Name	Password Policies	Description	Use strong passphrases for private keys to make cracking difficult. Do not store credentials within the Registry. Establish an organizational policy that prohibits password storage in files.

ID	M1028	Name	Operating System Configuration	Description	There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands: `set +o history` and `set -o history` to start logging again; `unset HISTFILE` being added to a user's .bash_rc file; and `ln -s /dev/null ~/.bash_history` to write commands to `/dev/null`instead.

ID	M1035	Name	Limit Access to Resource Over Network	Description	Limit network access to sensitive services, such as the Instance Metadata API.

ID	M1037	Name	Filter Network Traffic	Description	Limit access to the Instance Metadata API. A properly configured Web Application Firewall (WAF) may help prevent external adversaries from exploiting Server-side Request Forgery (SSRF) attacks that allow access to the Cloud Instance Metadata API.

ID	M1041	Name	Encrypt Sensitive Information	Description	When possible, store keys on separate cryptographic hardware instead of on the local system.

ID	M1047	Name	Audit	Description	Preemptively search for files containing passwords or other credentials and take actions to reduce the exposure risk when found.

ID	M1051	Name	Update Software	Description	Apply patch KB2962486 which prevents credentials from being stored in GPPs.

ID	Name	Description
M1015	Active Directory Configuration	Remove vulnerable Group Policy Preferences.
M1017	User Training	Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.
M1022	Restrict File and Directory Permissions	Restrict file shares to specific directories with access only to necessary users.
M1026	Privileged Account Management	If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary.
M1027	Password Policies	Use strong passphrases for private keys to make cracking difficult. Do not store credentials within the Registry. Establish an organizational policy that prohibits password storage in files.
M1028	Operating System Configuration	There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands: `set +o history` and `set -o history` to start logging again; `unset HISTFILE` being added to a user's .bash_rc file; and `ln -s /dev/null ~/.bash_history` to write commands to `/dev/null`instead.
M1035	Limit Access to Resource Over Network	Limit network access to sensitive services, such as the Instance Metadata API.
M1037	Filter Network Traffic	Limit access to the Instance Metadata API. A properly configured Web Application Firewall (WAF) may help prevent external adversaries from exploiting Server-side Request Forgery (SSRF) attacks that allow access to the Cloud Instance Metadata API.
M1041	Encrypt Sensitive Information	When possible, store keys on separate cryptographic hardware instead of on the local system.
M1047	Audit	Preemptively search for files containing passwords or other credentials and take actions to reduce the exposure risk when found.
M1051	Update Software	Apply patch KB2962486 which prevents credentials from being stored in GPPs.