Credentials from Password Stores

Adversaries may search for common password storage locations to obtain machine identities and user credentials. Keys and passwords are often stored in several places on a system, depending on the operating system or application holding the them. There are also specific applications that store keys and passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform Lateral Movement and access restricted information.

Procedure Examples

Name Description
APT39

APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords.[1]

Mimikatz

Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI.[2][3][4][5]

PLEAD

PLEAD has the ability to steal saved passwords from Microsoft Outlook.[6]

UNC2452

UNC2452 used account credentials they obtained to attempt access to Group Managed Service Account (gMSA) passwords.[7]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Monitor system calls, file read events, and processes for suspicious activity that could indicate searching for a password or other activity related to performing keyword searches (e.g. password, pwd, login, store, secure, credentials, etc.) in process memory for credentials. File read events should be monitored surrounding known password storage applications.

References

Attachments

ID
VT0021
MITRE ID
Tactic
Credential Access
Platforms
Linux
Windows
macOS
Permissions Required
Administrator
Data Sources
API monitoring
File monitoring
PowerShell logs
Process monitoring
System calls
Version
1.0

Created: 29 December 2020

Last Modified: 29 December 2020