T1552.001: Credentials In Files
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
It is possible to extract passwords from backups or saved virtual machines through OS Credential Dumping. Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.
In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files. They may also be found as parameters to deployment commands in container logs. In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
yandex_cloud: PT-CR-821: Yandex_Cloud_Virtual_Machine_Metadata_Contains_Sensitive_Value: Sensitive data is detected in the custom metadata of a virtual machine unix_mitre_attck_collection: PT-CR-1685: Unix_Sensitive_File_Read: Sensitive Unix files were read unix_mitre_attck_cred_access: PT-CR-1696: Unix_Cred_Files_Read: Unix OS files containing credentials were read freeipa: PT-CR-2577: FreeIPA_Cache_Credentials_Access: Access to file cache_credentials containing domain users' cached credentials freeipa: PT-CR-2576: FreeIPA_Id2entry_Dump: Access to file id2entry.db containing domain users' data vk_cloud: PT-CR-2103: VK_Cloud_VM_Metadata_Contains_Sensitive_Value: Sensitive data was detected in the custom metadata of a virtual machine, which can lead to the compromise of the cloud infrastructure mitre_attck_cred_access: PT-CR-300: Search_Stored_Credentials: A user started a utility or script to retrieve passwords mitre_attck_cred_access: PT-CR-1013: PuntoSwitcher_Diary_Open: Possible use of a Punto Switcher diary as a keylogger mitre_attck_cred_access: PT-CR-1827: IIS_Credential_Dumping: Accessing IIS credentials mitre_attck_cred_access: PT-CR-1721: ETWHash_Dump: Possible ETWHash activity mitre_attck_cred_access: PT-CR-898: Access_To_Files_Containing_Passwords: Access to files that can contain credentials hacking_tools: PT-CR-758: Lazagne_Usage: Use of the LaZagne tool to dump credentials is detected
Detection
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor newly executed processes for local file systems and remote file shares for files containing insecurely stored credentials. Note: Pseudocode Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for command-line instances of searching the Windows Registry for insecurely stored credentials. This can be accomplished using the query functionality of the Reg system utility, by looking for keys and values that contain strings such as “password”. In addition, adversaries may use toolkits such as PowerSploit in order to dump credentials from various applications such as IIS. Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several PowerSploit modules with similar functionality. Analytic 1 - Credentials in Files & Registry
|
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor executed commands and arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information. |
---|
ID | DS0022 | Data source and component | File: File Access | Description | Monitor for files being accessed that may search local file systems and remote file shares for files containing insecurely stored credentials. While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. |
---|
Mitigation
ID | M1022 | Name | Restrict File and Directory Permissions | Description | Restrict file shares to specific directories with access only to necessary users. |
---|
ID | M1017 | Name | User Training | Description | Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. |
---|
ID | M1047 | Name | Audit | Description | Preemptively search for files containing passwords and take actions to reduce the exposure risk when found. |
---|
ID | M1027 | Name | Password Policies | Description | Establish an organizational policy that prohibits password storage in files. |
---|