Unsecured Credentials: Credentials In Files
Adversaries may search local file systems and remote file shares for files containing insecurely stored machine identities and credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords or keys for a system or service, or source code/binary files containing embedded passwords or keys.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information.
Created: 27 December 2020
Last Modified: 27 December 2020