Credential Access

The adversary is trying to steal account names and passwords.

Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

Techniques

Techniques: 6
ID Name Description
VT0013 Brute Force Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
VT0021 Credentials from Password Stores Adversaries may search for common password storage locations to obtain machine identities and user credentials. Keys and passwords are often stored in several places on a system, depending on the operating system or application holding the them. There are also specific applications that store keys and passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform Lateral Movement and access restricted information.
.001 Keychain Adversaries may collect the keychain storage data from a system to acquire machine identities. Keychains are the built-in way for macOS to keep track of users' keys and credentials for various services and features, such as certificates. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/.
.002 Securityd Memory On MacOS, an adversary with root access can to read securityd’s memory and find the correct sequence of keys to decrypt the user’s logon keychain, enabling them to have access to all the information stored in the keychain, including keys and credentials in plaintext.
.003 Credentials from Web Browsers Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials and other sensitive information.
VT0018 Input Capture Adversaries may use methods of capturing user input to obtain machine identities and credentials or collect information. During normal system usage, users often provide machine identities and credentials to various different locations, such as system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service.
.001 Keylogging Adversaries may log user keystrokes to intercept credentials and password-protected machine identities as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.
VT0022 Man-in-the-Middle (MITM) A man in the middle (MITM) attack is a general term for when adversaries position themselves between a user and an application or a device for the purpose of eavesdropping or impersonation of legitimate communication.
.001 TLS Stripping An adversary managed to intercept a connection and tries to decrypt the secure communication between a client and a server, using SSL stripping. SSL stripping attack downgrades HTTPS connection to HTTP by intercepting the TLS authentication sent from the application to the user. The adversary sends an unencrypted version of the application’s site to the user while maintaining the secured session with the application, acting as a "bridge" between them.(Cirtation:Imperva)
.002 DNS Hijacking The adversary is trying to perform a Man in the Middle (MITM) attack using Domain Name Server (DNS) hijacking. DNS hijacking, also referred to as DNS redirection, is when DNS queries are incorrectly resolved in order to unexpectedly redirect the client to an attacker-controlled server. To enable this attack, the adversary must compromise the target client or router or intercept DNS communication by using other Man in the Middle (MITM) techniques.
.003 DNS Spoofing/Cache Poisoning The adversary attempts to perform Man in the Middle (MITM) attack using DNS spoofing. DNS spoofing, also known as DNS cache poisoning, involves altering cached IP addresses of a DNS server to attacker-controlled ones. Cache is a hardware or software component that stores data, so that future requests for that data can be served faster. In DNS servers cache is used to store previously translated names.
.003 DNS Spoofing/Cache Poisoning The adversary attempts to perform Man in the Middle (MITM) attack using DNS spoofing. DNS spoofing, also known as DNS cache poisoning, involves altering cached IP addresses of a DNS server to attacker-controlled ones. Cache is a hardware or software component that stores data, so that future requests for that data can be served faster. In DNS servers cache is used to store previously translated names.
.004 HTTPS Spoofing An adversary intercepted a secure communication and attempts to perform HTTPS spoofing for decrypting the traffic. In HTTPS spoofing, the adversary sends a rouge certificate to the victim’s browser once the initial connection request to a secure site is made. It holds a digital thumbprint associated with the compromised application, which the browser verifies according to an existing list of trusted sites. The adversary is then able to access any data entered by the victim before it’s passed to the application.
.005 SSL Hijacking An adversary intercepted a secure communication and attempts to perform Session Hijacking, also known as SSL or TLS hijacking, to decrypt the traffic. Session hijacking is a method of taking over a web user session by surreptitiously obtaining the session ID and masquerading as the authorized user. Once the user's session ID has been accessed, the adversary can masquerade as the user and perform anything the user is authorized to do on the network.
VT0019 Network Sniffing Adversaries may sniff network traffic to capture information about an environment, including machine identities and authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
VT0017 Unsecured Credentials Adversaries may search compromised systems to find and obtain insecurely stored machine identities and credentials. These machine identities can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).
.001 Credentials In Files Adversaries may search local file systems and remote file shares for files containing insecurely stored machine identities and credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords or keys for a system or service, or source code/binary files containing embedded passwords or keys.
.002 Credentials in Registry In Windows OS, adversaries may search the Registry on compromised systems for insecurely stored machine identities and credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and keys that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
.003 Bash History Adversaries may search the bash command history on compromised systems for insecurely stored machine identities and credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type their usernames, keys and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential machine identities and credentials.
.004 Private Keys Adversaries may search for insecurely stored private key certificate files on compromised systems. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures and can be identified by their file extensions: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.

Attachments

ID
VTA0006
MITRE ID

Created: 26 November 2020

Last Modified: 26 November 2020