Credential Access
Techniques
| ID | Name | Description |
|---|---|---|
| EST000108 | Brute Force | A Cyber Embedded Technique in which an adversary uses brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained. Credential Dumping is used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network. Adversaries may attempt to brute force logins without knowledge of passwords or hashes during an operation either with zero knowledge or by attempting a list of known or possible passwords. This is a riskier option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. A related technique called password spraying uses one password (e.g. 'Password01'), or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following: • SSH (22/TCP) • Telnet (23/TCP) • FTP (21/TCP) • NetBIOS / SMB / Samba (139/TCP & 445/TCP) • LDAP (389/TCP) • Kerberos (88/TCP) • RDP / Terminal Services (3389/TCP) • HTTP/HTTP Management Services (80/TCP & 443/TCP) • MSSQL (1433/TCP) • Oracle (1521/TCP) • MySQL (3306/TCP) • VNC (5900/TCP) In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365. In addition to management services, adversaries may target proprietary UART or other serial interfaces for maintenance reasons. These maintenance interfaces generally do not follow a standard protocol as they are vendor specific. In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625. |
| EST000109 | Credential Dumping | A Cyber Embedded Technique in which an adversary extracts stored credentials, such as usernames, passwords, or cryptographic keys, from a maintenance aid or remote (over the air loading/keying) data load. The dumped credentials can then be used for subsequent malicious activities, such as gaining unauthorized access to the LRU itself, compromising other systems, or intercepting sensitive communications. The lack of encryption during binary transfers from support system to the LRU can allow an adversary to use dumped credentials to inject malicious binaries onto the LRU. |
| EST000110 | Credentials in Files | A Cyber Embedded Technique in which an adversary searches local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. It is possible to extract passwords from backups or saved virtual machines through Credential Dumping. Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. In cloud environments, authenticated user credentials are often stored in local configuration and credential files. In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files. |
| EST000111 | Exploitation for Credential Access | A Cyber Embedded Technique in which an adversary exploits software vulnerabilities to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions. Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained. |
| EST000112 | Credential Access Hooking | A Cyber Embedded Technique in which an adversary exploits a process that leverages application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. • Hooking involves redirecting calls to these functions and can be implemented via: • Hooks procedures, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs. • Import address table (IAT) hooking, which use modifications to a process’s IAT, where pointers to imported API functions are stored. • Inline hooking, which overwrites the first bytes in an API function to redirect code flow. Similar to Process Injection, adversaries may use hooking to load and execute malicious code within the context of another process, masking the execution while also allowing access to the process's memory and possibly elevated privileges. Installing hooking mechanisms may also provide Persistence via continuous invocation when the functions are called through normal use. Malicious hooking mechanisms may also capture API calls that include parameters that reveal user authentication credentials for Credential Access. Hooking is commonly utilized by Rootkits to conceal files, processes, Registry keys, and other objects in order to hide malware and associated behaviors. |
| EST000113 | Credential Access Input Capture | A Cyber Embedded Technique in which an adversary captures user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception. This could include MCDUs on an aircraft, tank, and/or ship, in addition to other operator interfaces that are not a standard keyboard/mouse. Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes, but other methods exist to target information for specific purposes, such as performing a UAC prompt or wrapping the Windows default credential provider. Keylogging is likely to be used to acquire credentials for new access opportunities when Credential Dumping efforts are not effective and may require an adversary to remain passive on a system for a period of time before an opportunity arises. Adversaries may also install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service. |
| EST000114 | Credential Access Network Sniffing | A Cyber Embedded Technique in which an adversary uses a network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network or use span ports to capture a larger amount of data. This can be inclusive of standard IP based protocols as well as embedded serial busses, such as ARINC 429, J1393, CAN, AS5643, etc. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (ex: IP addressing, hostnames, VLAN IDs) necessary for follow-on Lateral Movement and/or Defense Evasion activities. |
| EST000115 | Private Keys | A Cyber Embedded Technique in which an adversary gathers private keys from compromised systems for use in authenticating to Remote Services like SSH or for use in decrypting other collected files. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users(username).ssh\ on Windows. Private keys should require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line. Adversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates. |
| EST000116 | Reverse Engineering Extraction of Obfuscated Credentials | A Cyber Embedded Technique in which an adversary extracts credentials that are deliberately hidden or protected using non-trivial methods. These credentials are not directly accessible through simple file reading and require specialized techniques to uncover. The adversary may employ a variety of methods to extract these credentials, including: -Reverse engineering compiled binaries to uncover obfuscated or encrypted credentials. -Analyzing persistent read-only memory or similar hardware components. -Recovering credentials hidden in unconventional locations, such as HDD sectors marked as bad or fragmented across multiple locations. -Exploiting vulnerabilities in custom credential management schemes. This technique differs from Credentials in Files (EST00110) in that it specifically addresses the extraction of credentials that are deliberately not stored in easily accessible file structures and require specialized knowledge or tools to uncover. Previously named: Reverse Engineering Extraction of Hard-Coded Credentials |
| EST000117 | Default Credentials from System Documentation | A Cyber Embedded Technique in which an adversary references system documentation for an LRU to discover credentials stored in the documentation. These credentials may be provided in the documentation by vendors for specific types of services accesses, privileged processes, or ease of maintenance. |