Unsecured Credentials: Credentials In Files

Adversaries may search local file systems and remote file shares for files containing insecurely stored machine identities and credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords or keys for a system or service, or source code/binary files containing embedded passwords or keys.

Procedure Examples

Name Description
TrickBot

TrickBot can obtain credentials stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN, WinSCP and VNC.[1][2][3]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information.

References

Attachments

ID
VT0017.001
Sub-techniques
Tactic
Credential Access
Platforms
AWS
Azure
GCP
Linux
Windows
macOS
System Requirements
Access to files
Permissions Required
Administrator
SYSTEM
User
Data Sources
File monitoring
Process command-line parameters
CAPEC ID
Version
1.0

Created: 27 December 2020

Last Modified: 27 December 2020