T1552.001: Credentials In Files

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

It is possible to extract passwords from backups or saved virtual machines through OS Credential Dumping. Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.

In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files. They may also be found as parameters to deployment commands in container logs. In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

yandex_cloud: PT-CR-821: Yandex_Cloud_Virtual_Machine_Metadata_Contains_Sensitive_Value: Sensitive data is detected in the custom metadata of a virtual machine unix_mitre_attck_collection: PT-CR-1685: Unix_Sensitive_File_Read: Sensitive Unix files were read unix_mitre_attck_cred_access: PT-CR-1696: Unix_Cred_Files_Read: Unix OS files containing credentials were read freeipa: PT-CR-2577: FreeIPA_Cache_Credentials_Access: Access to file cache_credentials containing domain users' cached credentials freeipa: PT-CR-2576: FreeIPA_Id2entry_Dump: Access to file id2entry.db containing domain users' data vk_cloud: PT-CR-2103: VK_Cloud_VM_Metadata_Contains_Sensitive_Value: Sensitive data was detected in the custom metadata of a virtual machine, which can lead to the compromise of the cloud infrastructure mitre_attck_cred_access: PT-CR-300: Search_Stored_Credentials: A user started a utility or script to retrieve passwords mitre_attck_cred_access: PT-CR-1013: PuntoSwitcher_Diary_Open: Possible use of a Punto Switcher diary as a keylogger mitre_attck_cred_access: PT-CR-1827: IIS_Credential_Dumping: Accessing IIS credentials mitre_attck_cred_access: PT-CR-1721: ETWHash_Dump: Possible ETWHash activity mitre_attck_cred_access: PT-CR-898: Access_To_Files_Containing_Passwords: Access to files that can contain credentials hacking_tools: PT-CR-758: Lazagne_Usage: Use of the LaZagne tool to dump credentials is detected

Detection

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor newly executed processes for local file systems and remote file shares for files containing insecurely stored credentials.

Note: Pseudocode Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for command-line instances of searching the Windows Registry for insecurely stored credentials. This can be accomplished using the query functionality of the Reg system utility, by looking for keys and values that contain strings such as “password”. In addition, adversaries may use toolkits such as PowerSploit in order to dump credentials from various applications such as IIS. Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several PowerSploit modules with similar functionality.

Analytic 1 - Credentials in Files & Registry

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")
CommandLine="reg query HKLM /f password /t REG_SZ /s*" OR CommandLine="reg* query HKCU /f password /t REG_SZ /s" OR CommandLine="Get-UnattendedInstallFile" OR CommandLine="*Get-Webconfig" OR CommandLine="Get-ApplicationHost" OR CommandLine="Get-SiteListPassword" OR CommandLine="Get-CachedGPPPassword" OR CommandLine="Get-RegistryAutoLogon"

IDDS0017Data source and componentCommand: Command ExecutionDescription

While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor executed commands and arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information.

IDDS0022Data source and componentFile: File AccessDescription

Monitor for files being accessed that may search local file systems and remote file shares for files containing insecurely stored credentials. While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained.

Mitigation

IDM1022NameRestrict File and Directory PermissionsDescription

Restrict file shares to specific directories with access only to necessary users.

IDM1017NameUser TrainingDescription

Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.

IDM1047NameAuditDescription

Preemptively search for files containing passwords and take actions to reduce the exposure risk when found.

IDM1027NamePassword PoliciesDescription

Establish an organizational policy that prohibits password storage in files.