MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1555: Credentials from Password Stores

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_cred_access: PT-CR-765: Credential_Access_to_Passwords_Storage: Access to files containing credentials (browsers, password managers) is detected
oracle_database: PT-CR-285: Oracle_Select_table_with_hash: Reading of entries from tables containing password hashes
postgresql_database: PT-CR-1900: PostgreSQL_Dump_Credentials: Access to database credentials (passwords, hashes, or both) can lead to compromise of PostgreSQL data
mssql_database: PT-CR-409: MSSQL_dump_credential_hashes: An attempt to get database password hashes
active_directory_attacks: PT-CR-835: gMSA_Password_Access: A user accessed LDAP attributes that store data for offline generation of passwords for group Managed Service Accounts (gMSA). Passwords for these service accounts are usually managed automatically by AD.
active_directory_attacks: PT-CR-2295: Subrule_gMSA_LDAP_Query: A user accessed LDAP attributes that store data for offline generation of passwords for group Managed Service Accounts (gMSA)
mysql_database: PT-CR-615: MySQL_dump_credential_hashes: An attempt to retrieve database password hashes is detected
freeipa: PT-CR-2144: FreeIPA_Suspicious_LDAP_Request: LDAP request to a sensitive attribute in the FreeIPA domain
freeipa: PT-CR-2145: Subrule_FreeIPA_LDAP_Query: LDAP request to the FreeIPA domain

Detection

IDDS0025Data source and componentCloud Service: Cloud Service EnumerationDescription

Monitor for API calls and CLI commands that attempt to enumerate and fetch credential material from cloud secrets managers, such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure. Alert on any suspicious usages of these commands, such as an account or service generating an unusually high number of secret requests.

IDDS0022Data source and componentFile: File AccessDescription

Monitor for files being accessed that may search for common password storage locations to obtain user credentials.

IDDS0009Data source and componentProcess: Process AccessDescription

Monitor for processes being accessed that may search for common password storage locations to obtain user credentials.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor newly executed processes that may search for common password storage locations to obtain user credentials.

IDDS0009Data source and componentProcess: OS API ExecutionDescription

Monitor for API calls that may search for common password storage locations to obtain user credentials.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may search for common password storage locations to obtain user credentials.

Mitigation

IDM1026NamePrivileged Account ManagementDescription

Limit the number of accounts and services with permission to query information from password stores to only those required. Ensure that accounts and services with permissions to query password stores only have access to the secrets they require.

IDM1051NameUpdate SoftwareDescription

Perform regular software updates to mitigate exploitation risk.

IDM1027NamePassword PoliciesDescription

The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password.

Organizations may consider weighing the risk of storing credentials in password stores and web browsers. If system, software, or web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in improper locations.