Unsecured Credentials

Adversaries may search compromised systems to find and obtain insecurely stored machine identities and credentials. These machine identities can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information.

Monitor for suspicious file access activity, specifically indications that a process is reading multiple files in a short amount of time and/or using command-line arguments indicative of searching for credential material (ex: regex patterns). These may be indicators of automated/scripted credential access behavior.

Monitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like cat ~/.bash_history.

Additionally, monitor processes for applications that can be used to query the Registry, such as Reg, and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.

Attachments

ID
VT0017
MITRE ID
Tactic
Credential Access
Platforms
AWS
Azure
Azure AD
GCP
Linux
Office 365
SaaS
Windows
macOS
Permissions Required
Administrator
SYSTEM
User
Data Sources
AWS CloudTrail logs
Authentication logs
Azure activity logs
File monitoring
Process command-line parameters
Process monitoring
Windows Registry
Windows event logs
Version
1.1

Created: 27 December 2020

Last Modified: 17 March 2021