T1555: Credentials from Password Stores
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_cred_access: PT-CR-765: Credential_Access_to_Passwords_Storage: Access to files containing credentials (browsers, password managers) is detected
oracle_database: PT-CR-285: Oracle_Select_table_with_hash: Reading of entries from tables containing password hashes
postgresql_database: PT-CR-1900: PostgreSQL_Dump_Credentials: Access to database credentials (passwords, hashes, or both) can lead to compromise of PostgreSQL data
mssql_database: PT-CR-409: MSSQL_dump_credential_hashes: An attempt to get database password hashes
active_directory_attacks: PT-CR-835: gMSA_Password_Access: A user accessed LDAP attributes that store data for offline generation of passwords for group Managed Service Accounts (gMSA). Passwords for these service accounts are usually managed automatically by AD.
active_directory_attacks: PT-CR-2295: Subrule_gMSA_LDAP_Query: A user accessed LDAP attributes that store data for offline generation of passwords for group Managed Service Accounts (gMSA)
mysql_database: PT-CR-615: MySQL_dump_credential_hashes: An attempt to retrieve database password hashes is detected
freeipa: PT-CR-2144: FreeIPA_Suspicious_LDAP_Request: LDAP request to a sensitive attribute in the FreeIPA domain
freeipa: PT-CR-2145: Subrule_FreeIPA_LDAP_Query: LDAP request to the FreeIPA domain
Detection
ID | DS0025 | Data source and component | Cloud Service: Cloud Service Enumeration | Description | Monitor for API calls and CLI commands that attempt to enumerate and fetch credential material from cloud secrets managers, such as |
---|
ID | DS0022 | Data source and component | File: File Access | Description | Monitor for files being accessed that may search for common password storage locations to obtain user credentials. |
---|
ID | DS0009 | Data source and component | Process: Process Access | Description | Monitor for processes being accessed that may search for common password storage locations to obtain user credentials. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor newly executed processes that may search for common password storage locations to obtain user credentials. |
---|
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls that may search for common password storage locations to obtain user credentials. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may search for common password storage locations to obtain user credentials. |
---|
Mitigation
ID | M1026 | Name | Privileged Account Management | Description | Limit the number of accounts and services with permission to query information from password stores to only those required. Ensure that accounts and services with permissions to query password stores only have access to the secrets they require. |
---|
ID | M1051 | Name | Update Software | Description | Perform regular software updates to mitigate exploitation risk. |
---|
ID | M1027 | Name | Password Policies | Description | The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password. Organizations may consider weighing the risk of storing credentials in password stores and web browsers. If system, software, or web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in improper locations. |
---|