跳转至

凭据访问

攻击者试图窃取帐户名和密码。

凭据访问包括用于窃取凭据(如帐户名和密码)的技术。用于获取凭据的技术包括键盘记录或凭据转储。使用合法凭据可以使攻击者访问系统,使其更难检测,并提供创建更多帐户以帮助实现其目标的机会。

技术: 17

编号 名字 描述
T1557 中间的对手 攻击者可能会尝试使用中间对手 (AiTM) 技术在两个或多个联网设备之间定位自己,以支持网络嗅探传输的数据操作等后续行为。通过滥用可以确定网络流量的常见网络协议(例如 ARP、DNS、LLMNR 等)的功能,攻击者可能会强制设备通过对手控制系统进行通信,以便他们可以收集信息或执行其他操作。
.001 LLMNR/NBT-NS 中毒和 SMB 中继 通过响应 LLMNR/NBT-NS 网络流量,攻击者可能会欺骗名称解析的权威源,以强制与对手控制的系统进行通信。此活动可用于收集或中继身份验证材料。
.002 ARP 缓存中毒 攻击者可能会毒害地址解析协议 (ARP) 缓存,以便在两个或多个网络设备的通信之间定位自己。此活动可用于启用后续行为,例如网络嗅探传输的数据操作
.003 DHCP 欺骗 攻击者可以通过欺骗动态主机配置协议 (DHCP) 流量并在受害网络上充当恶意 DHCP 服务器,将网络流量重定向到对手拥有的系统。通过实现中间对手 (AiTM) 位置,攻击者可以收集网络通信,包括传递的凭据,尤其是通过不安全、未加密协议发送的凭据。这也可能启用后续行为,例如网络嗅探传输的数据操作
T1110 蛮 力 当密码未知或获取密码哈希时,攻击者可能会使用暴力技术来访问帐户。在不知道一个帐户或一组帐户的密码的情况下,攻击者可能会使用重复或迭代机制系统地猜测密码。暴力破解密码可以通过与服务交互来实现,该服务将检查这些凭据的有效性,也可以根据以前获取的凭据数据(如密码哈希)脱机进行。
.001 密码猜测 事先不了解系统或环境中合法凭据的攻击者可能会猜测密码以尝试访问帐户。在不知道帐户密码的情况下,攻击者可能会选择使用重复或迭代机制系统地猜测密码。攻击者可能会在操作期间使用常用密码列表猜测登录凭据,而无需事先了解系统或环境密码。密码猜测可能会也可能不会考虑目标的密码复杂性策略,或者使用可能在多次尝试失败后锁定帐户的策略。
.002 密码破解 当获得凭据材料(如密码哈希)时,攻击者可能会使用密码破解来尝试恢复可用的凭据,例如明文密码。操作系统凭据转储可用于获取密码哈希,到目前为止,当传递哈希不是一个选项时,这可能只会获得对手。此外,攻击者可以利用配置存储库中的数据来获取网络设备的哈希凭据。
.003 密码喷涂 攻击者可能会对许多不同的帐户使用单个或一小部分常用密码来尝试获取有效的帐户凭据。密码喷洒使用一个密码(例如“Password01”)或一小部分常用密码,这些密码可能与域的复杂性策略相匹配。尝试使用该密码对网络上的许多不同帐户进行登录,以避免在暴力强制使用具有多个密码的单个帐户时通常会发生的帐户锁定。
.004 撞库 攻击者可以使用从不相关账户的违规转储中获取的凭据,通过凭据重叠获取对目标帐户的访问权限。有时,当网站或服务遭到入侵并访问用户帐户凭据时,会在线转储大量用户名和密码对。该信息对于试图通过利用用户在个人和企业帐户中使用相同的密码的趋势来破坏帐户的攻击者可能很有用。
T1555 密码存储中的凭据 攻击者可能会搜索常见的密码存储位置以获取用户凭据。密码存储在系统上的多个位置,具体取决于保存凭据的操作系统或应用程序。还有一些特定的应用程序存储密码,以便用户更轻松地管理和维护。获得凭据后,它们可用于执行横向移动和访问受限信息。
.001 钥匙扣 攻击者可以从钥匙串获取凭据。钥匙串(或钥匙串服务)是 macOS 凭据管理系统,用于存储帐户名、密码、私钥、证书、敏感应用程序数据、付款数据和安全备注。有三种类型的钥匙串:“登录钥匙串”、“系统钥匙串”和“本地项目”(iCloud) 钥匙串。默认钥匙串是登录钥匙串,用于存储用户密码和信息。系统钥匙串存储操作系统访问的项目,例如主机上用户之间共享的项目。本地项目 (iCloud) 钥匙串用于与 Apple 的 iCloud 服务同步的项目。
.002 安全内存 攻击者可能会获得root访问权限(允许他们读取securityd的内存),然后他们可以扫描内存以在相对较少的尝试中查找正确的密钥序列来解密用户的登录密钥链。这为攻击者提供了用户、WiFi、邮件、浏览器、证书、安全注释等的所有明文密码。
.003 来自 Web 浏览器的凭据 攻击者可以通过读取特定于目标浏览器的文件从 Web 浏览器获取凭据。Web 浏览器通常会保存网站用户名和密码等凭据,以便将来无需手动输入。Web 浏览器通常以加密格式将凭据存储在凭据存储中;但是,存在从 Web 浏览器提取纯文本凭据的方法。
.004 Windows Credential Manager 攻击者可以从 Windows 凭据管理器获取凭据。凭据管理器将用于登录到通过 NTLM 或 Kerberos 请求身份验证的网站、应用程序和/或设备的凭据存储在凭据保险箱(以前称为 Windows 保管库)中。
.005 密码管理器 攻击者可能会从第三方密码管理器获取用户凭据。密码管理器是设计用于存储用户凭据的应用程序,通常存储在加密数据库中。在用户提供解锁数据库的主密码后,通常可以访问凭据。数据库解锁后,可以将这些凭据复制到内存中。这些数据库可以作为文件存储在磁盘上。
T1212 利用凭据访问 攻击者可能会利用软件漏洞来尝试收集凭据。当攻击者利用程序、服务或操作系统软件或内核本身中的编程错误来执行对手控制的代码时,就会利用软件漏洞。凭据和身份验证机制可能成为攻击者利用的目标,作为获取有用凭据或规避获取系统访问权限的过程的一种手段。其中一个例子是 MS14-068,它面向 Kerberos,可用于使用域用户权限伪造 Kerberos 票证。利用凭据访问也可能导致权限提升,具体取决于目标进程或获取的凭据。
T1187 强制身份验证 攻击者可以通过调用或强制用户通过他们可以拦截的机制自动提供身份验证信息来收集凭据材料。
T1606 伪造网络凭据 攻击者可能会伪造可用于访问 Web 应用程序或 Internet 服务的凭据材料。Web 应用程序和服务(托管在云 SaaS 环境或本地服务器中)通常使用会话 Cookie、令牌或其他材料来验证和授权用户访问。
.001 网络饼干 攻击者可能会伪造可用于访问 Web 应用程序或互联网服务的 Web Cookie。Web 应用程序和服务(托管在云 SaaS 环境或本地服务器中)通常使用会话 cookie 来验证和授权用户访问。
.002 SAML 令牌 如果攻击者拥有有效的 SAML 令牌签名证书,则攻击者可以伪造具有任何权限声明和生存期的 SAML 令牌。SAML 令牌的默认生存期为一小时,但可以在令牌中元素的值中指定有效期。可以使用 中的 .伪造的 SAML 令牌使攻击者能够跨使用 SAML 2.0 作为 SSO(单点登录)机制的服务进行身份验证。NotOnOrAfter``conditions ...``AccessTokenLifetime``LifetimeTokenPolicy
T1056 输入捕获 攻击者可能会使用捕获用户输入的方法来获取凭据或收集信息。在正常的系统使用过程中,用户通常会向各种不同的位置提供凭据,例如登录页面/门户或系统对话框。输入捕获机制可能对用户透明(例如凭据 API 挂钩),或者依赖于欺骗用户将输入提供给他们认为是真正的服务(例如 Web 门户捕获)。
.001 键盘记录 攻击者可能会记录用户击键,以便在用户键入凭据时拦截凭据。当操作系统凭据转储工作无效时,键盘日志记录可能会用于获取新访问机会的凭据,并且可能需要攻击者在很长一段时间内拦截系统上的击键,然后才能成功捕获凭据。
.002 图形用户界面输入捕获 攻击者可能会模仿常见的操作系统 GUI 组件,以通过看似合法的提示提示用户输入凭据。当执行的程序需要比当前用户上下文中存在的权限更多的权限时,操作系统通常会提示用户输入适当的凭据来授权任务的提升权限(例如:绕过用户帐户控制)。
.003 门户网站捕获 攻击者可能会在面向外部的门户(如 VPN 登录页面)上安装代码,以捕获和传输尝试登录服务的用户的凭据。例如,受损的登录页面可能会在用户登录到服务之前记录提供的用户凭据。
.004 凭据 API 挂钩 攻击者可能会挂接到 Windows 应用程序编程接口 (API) 函数来收集用户凭据。恶意挂钩机制可能会捕获包含显示用户身份验证凭据的参数的 API 调用。与键盘记录不同,此技术专门关注包含显示用户凭据的参数的 API 函数。挂钩涉及将调用重定向到这些函数,可以通过以下方式实现:
T1556 修改身份验证过程 攻击者可能会修改身份验证机制和流程以访问用户凭据或启用对帐户的无根据访问。身份验证过程由机制处理,例如 Windows 上的本地安全身份验证服务器 (LSASS) 进程和安全帐户管理器 (SAM)、基于 Unix 的系统上的可插入身份验证模块 (PAM) 以及 MacOS 系统上的授权插件,负责收集、存储和验证凭据。通过修改身份验证过程,攻击者可能能够在不使用有效帐户的情况下对服务或系统进行身份验证。
.001 域控制器身份验证 攻击者可能会修补域控制器上的身份验证过程,以绕过典型的身份验证机制并启用对帐户的访问。
.002 密码筛选器 DLL 攻击者可能会将恶意密码筛选器动态链接库 (DLL) 注册到身份验证过程中,以便在验证用户凭据时获取用户凭据。
.003 可插拔身份验证模块 攻击者可以修改可插入身份验证模块 (PAM) 以访问用户凭据或启用对帐户的无保证访问。PAM 是配置文件、库和可执行文件的模块化系统,用于指导许多服务的身份验证。最常见的身份验证模块是 ,它检索、设置和验证 和 中的帐户身份验证信息。pam_unix.so``/etc/passwd``/etc/shadow
.004 网络设备身份验证 攻击者可以使用修补程序系统映像在操作系统中对密码进行硬编码,从而绕过网络设备上本地帐户的本机身份验证机制。
.005 可逆加密 攻击者可能会滥用 Active Directory 身份验证加密属性来获取对 Windows 系统上凭据的访问权限。该属性指定是启用还是禁用帐户的可逆密码加密。默认情况下,此属性处于禁用状态(而是将用户凭据存储为单向哈希函数的输出),除非旧版或其他软件需要,否则不应启用此属性。AllowReversiblePasswordEncryption
.006 多重身份验证 攻击者可能会禁用或修改多重身份验证 (MFA) 机制,以启用对受损帐户的持久访问。
.007 混合标识 攻击者可能会修补、修改或以其他方式后门云身份验证过程,这些过程绑定到本地用户标识,以便绕过典型的身份验证机制、访问凭据并启用对帐户的持久访问。
.008 网络提供程序 DLL 攻击者可能会注册恶意网络提供程序动态链接库 (DLL),以便在身份验证过程中捕获明文用户凭据。网络提供程序 DLL 允许 Windows 与特定网络协议进行交互,还可以支持加载项凭据管理功能。在登录过程中,Winlogon(交互式登录模块)通过 RPC 将凭据发送到本地进程。然后,当通知正在发生登录事件时,该过程会以明文形式与已注册的凭据管理器共享凭据。mpnotify.exe``mpnotify.exe
T1111 多重身份验证拦截 攻击者可能以多重身份验证 (MFA) 机制(即智能卡、令牌生成器等)为目标,以获取对可用于访问系统、服务和网络资源的凭据的访问权限。建议使用 MFA,它提供比单独的用户名和密码更高的安全级别,但组织应了解可用于拦截和绕过这些安全机制的技术。
T1621 多重身份验证请求生成 攻击者可能会尝试绕过多重身份验证 (MFA) 机制,并通过生成发送给用户的 MFA 请求来访问帐户。
T1040 网络嗅探 攻击者可能会嗅探网络流量以捕获有关环境的信息,包括通过网络传递的身份验证材料。网络嗅探是指使用系统上的网络接口来监视或捕获通过有线或无线连接发送的信息。攻击者可能会将网络接口置于混杂模式,以被动访问通过网络传输的数据,或使用 span 端口捕获大量数据。
T1003 操作系统凭据转储 攻击者可能会尝试转储凭据以从操作系统和软件获取帐户登录名和凭据材料,通常采用哈希或明文密码的形式。然后,可以使用凭据执行横向移动和访问受限信息。
.001 LSASS 内存 攻击者可能会尝试访问存储在本地安全机构子系统服务 (LSASS) 的进程内存中的凭据材料。用户登录后,系统会在 LSASS 进程内存中生成和存储各种凭据材料。这些凭据材料可由管理用户或系统收集,并用于使用使用备用身份验证材料进行横向移动
.002 安全客户经理 攻击者可能会尝试通过内存中技术或通过存储 SAM 数据库的 Windows 注册表从安全帐户管理器 (SAM) 数据库中提取凭据材料。SAM 是一个数据库文件,其中包含主机的本地帐户,通常是通过命令找到的帐户。枚举 SAM 数据库需要系统级访问权限。net user
.003 被忽视的热带病 攻击者可能会尝试访问或创建 Active Directory 域数据库的副本,以窃取凭据信息,以及获取有关域成员的其他信息,例如设备、用户和访问权限。默认情况下,NTDS 文件 (NTDS.dit) 位于域控制器中。%SystemRoot%\NTDS\Ntds.dit
.004 LSA 秘密 对主机具有 SYSTEM 访问权限的攻击者可能会尝试访问本地安全机构 (LSA) 机密,这些机密可能包含各种不同的凭据材料,例如服务帐户的凭据。LSA 机密存储在注册表中。LSA 机密也可以从内存中转储。HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets
.005 缓存域凭据 攻击者可能会尝试访问缓存的域凭据,这些凭据用于在域控制器不可用时允许进行身份验证。
.006 DCSync 攻击者可能会尝试通过滥用 Windows 域控制器的应用程序编程接口 (API) 来访问凭据和其他敏感信息,以使用称为 DCSync 的技术模拟来自远程域控制器的复制过程。
.007 进程文件系统 攻击者可以从 proc 文件系统或 .proc 文件系统是一个伪文件系统,用作管理虚拟内存的基于 Linux 的系统内核数据结构的接口。对于每个进程,该文件显示内存如何在进程的虚拟地址空间中映射。并且,出于调试目的而公开,提供对进程虚拟地址空间的访问。/proc``/proc/<PID>/maps``/proc/<PID>/mem
.008 /etc/passwd 和 /etc/shadow 攻击者可能会尝试转储 的内容并启用脱机密码破解。大多数现代 Linux 操作系统都使用 和 的组合来存储用户帐户信息,包括 中的密码哈希。默认情况下,只能由根用户读取。/etc/passwd``/etc/shadow``/etc/passwd``/etc/shadow``/etc/shadow``/etc/shadow
T1528 窃取应用程序访问令牌 攻击者可以窃取应用程序访问令牌,作为获取访问远程系统和资源的凭据的一种方式。
T1649 窃取或伪造身份验证证书 攻击者可能会窃取或伪造用于身份验证的证书以访问远程系统或资源。数字证书通常用于对消息和/或文件进行签名和加密。证书也用作身份验证材料。例如,Azure AD 设备证书和 Active Directory 证书服务 (AD CS) 证书绑定到标识,并可用作域帐户的凭据。
T1558 偷或伪造科贝罗斯门票 攻击者可能会尝试通过窃取或伪造 Kerberos 票证来启用传递票证来破坏 Kerberos 身份验证。Kerberos 是一种广泛用于现代 Windows 域环境的身份验证协议。在称为“领域”的 Kerberos 环境中,有三个基本参与者:客户端、服务和密钥分发中心 (KDC)。客户端请求访问服务,并通过交换源自 KDC 的 Kerberos 票证,在成功进行身份验证后授予他们访问权限。KDC 负责身份验证和票证授予。攻击者可能会试图通过窃取票证或伪造票证来滥用 Kerberos,以实现未经授权的访问。
.001 黄金票 拥有 KRBTGT 帐户密码哈希的攻击者可能会伪造 Kerberos 票证授予票证 (TGT),也称为黄金票证。黄金票证使攻击者能够为 Active Directory 中的任何帐户生成身份验证材料。
.002 银票 拥有目标服务帐户(例如 SharePoint、MSSQL)的密码哈希的攻击者可能会伪造 Kerberos 票证授予服务 (TGS) 票证,也称为银票证。Kerberos TGS 票证也称为服务票证。
.003 Kerberoasting 攻击者可能会滥用有效的 Kerberos 票证授予票证 (TGT) 或嗅探网络流量来获取可能容易受到暴力攻击的票证授予服务 (TGS) 票证。
.004 AS-REP 烘焙 攻击者可能会泄露已通过密码破解 Kerberos 消息禁用 Kerberos 预身份验证的帐户的凭据。
T1539 窃取网络会话饼干 攻击者可能会窃取 Web 应用程序或服务会话 Cookie,并使用它们以经过身份验证的用户身份访问 Web 应用程序或 Internet 服务,而无需凭据。Web 应用程序和服务通常在用户向网站进行身份验证后使用会话 Cookie 作为身份验证令牌。
T1552 不安全的凭据 攻击者可能会搜索受感染的系统,以查找和获取不安全存储的凭据。这些凭据可以存储在和/或错放到系统上的许多位置,包括纯文本文件(例如Bash History),操作系统或特定于应用程序的存储库(例如注册表中的凭据)或其他专用文件/工件(例如私钥)。
.001 文件中的凭据 攻击者可能会在本地文件系统和远程文件共享中搜索包含不安全存储凭据的文件。这些文件可以是用户创建的用于存储自己的凭据的文件、一组个人的共享凭据存储、包含系统或服务密码的配置文件或包含嵌入式密码的源代码/二进制文件。
.002 注册表中的凭据 攻击者可能会在受感染系统上的注册表中搜索不安全存储的凭据。Windows 注册表存储可供系统或其他程序使用的配置信息。攻击者可能会查询注册表,查找已存储以供其他程序或服务使用的凭据和密码。有时,这些凭据用于自动登录。
.003 巴什历史 攻击者可能会在受感染系统上的 bash 命令历史记录中搜索不安全存储的凭据。Bash 使用“历史记录”实用程序跟踪用户在命令行上键入的命令。用户注销后,历史记录将刷新到用户的文件中。对于每个用户,此文件位于同一位置:。通常,此文件会跟踪用户的最后 500 个命令。用户经常在命令行上键入用户名和密码作为程序的参数,然后在注销时将其保存到此文件中。攻击者可以通过查看文件中的潜在凭据来滥用此漏洞。.bash_history``~/.bash_history
.004 私钥 攻击者可能会在受感染的系统上搜索私钥证书文件,以查找不安全存储的凭据。私有加密密钥和证书用于身份验证、加密/解密和数字签名。常见的密钥和证书文件扩展名包括:.key,.pgp,.gpg,.ppk.,.p12,.pem,.pfx,.cer,.p7b,.asc。
.005 云实例元数据接口 攻击者可能会尝试访问云实例元数据 API 以收集凭据和其他敏感数据。
.006 组策略首选项 攻击者可能会尝试在组策略首选项 (GPP) 中查找不安全的凭据。GPP 是允许管理员使用嵌入式凭据创建域策略的工具。这些策略允许管理员设置本地帐户。
.007 容器接口 攻击者可以通过容器环境中的 API 收集凭据。这些环境中的 API(例如 Docker API 和 Kubernetes API)允许用户远程管理其容器资源和集群组件。
.008 聊天消息 攻击者可以直接收集通过用户通信服务存储或传递的不安全凭据。凭据可以发送并存储在用户聊天通信应用程序(如电子邮件)、聊天服务(如 Slack 或 Teams)、协作工具(如 Jira 或 Trello)以及支持用户通信的任何其他服务中。用户可以在私人或公共公司内部通信渠道上共享各种形式的凭据(例如用户名和密码、API 密钥或身份验证令牌)。

The adversary is trying to steal account names and passwords.

Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

Techniques: 17

ID Name Description
T1557 Adversary-in-the-Middle Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.
.001 LLMNR/NBT-NS Poisoning and SMB Relay By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.
.002 ARP Cache Poisoning Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation.
.003 DHCP Spoofing Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation.
T1110 Brute Force Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
.001 Password Guessing Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
.002 Password Cracking Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Further, adversaries may leverage Data from Configuration Repository in order to obtain hashed credentials for network devices.
.003 Password Spraying Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.
.004 Credential Stuffing Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.
T1555 Credentials from Password Stores Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
.001 Keychain Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.
.002 Securityd Memory An adversary may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc.
.003 Credentials from Web Browsers Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.
.004 Windows Credential Manager Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).
.005 Password Managers Adversaries may acquire user credentials from third-party password managers. Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.
T1212 Exploitation for Credential Access Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions. Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.
T1187 Forced Authentication Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
T1606 Forge Web Credentials Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.
.001 Web Cookies Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.
.002 SAML Tokens An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate. The default lifetime of a SAML token is one hour, but the validity period can be specified in the NotOnOrAfter value of the conditions ... element in a token. This value can be changed using the AccessTokenLifetime in a LifetimeTokenPolicy. Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.
T1056 Input Capture Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).
.001 Keylogging Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.
.002 GUI Input Capture Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Account Control).
.003 Web Portal Capture Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
.004 Credential API Hooking Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials. Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
T1556 Modify Authentication Process Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.
.001 Domain Controller Authentication Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.
.002 Password Filter DLL Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.
.003 Pluggable Authentication Modules Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.
.004 Network Device Authentication Adversaries may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
.005 Reversible Encryption An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.
.006 Multi-Factor Authentication Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.
.007 Hybrid Identity Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.
.008 Network Provider DLL Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions. During the logon process, Winlogon (the interactive logon module) sends credentials to the local mpnotify.exe process via RPC. The mpnotify.exe process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening.
T1111 Multi-Factor Authentication Interception Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms.
T1621 Multi-Factor Authentication Request Generation Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
T1040 Network Sniffing Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
T1003 OS Credential Dumping Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
.001 LSASS Memory Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.
.002 Security Account Manager Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.
.003 NTDS Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.
.004 LSA Secrets Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts. LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. LSA secrets can also be dumped from memory.
.005 Cached Domain Credentials Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.
.006 DCSync Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API) to simulate the replication process from a remote domain controller using a technique called DCSync.
.007 Proc Filesystem Adversaries may gather credentials from the proc filesystem or /proc. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the /proc/<PID>/maps file shows how memory is mapped within the process’s virtual address space. And /proc/<PID>/mem, exposed for debugging purposes, provides access to the process’s virtual address space.
.008 /etc/passwd and /etc/shadow Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.
T1528 Steal Application Access Token Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
T1649 Steal or Forge Authentication Certificates Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.
T1558 Steal or Forge Kerberos Tickets Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as "realms", there are three basic participants: client, service, and Key Distribution Center (KDC). Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
.001 Golden Ticket Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket. Golden tickets enable adversaries to generate authentication material for any account in Active Directory.
.002 Silver Ticket Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.
.003 Kerberoasting Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
.004 AS-REP Roasting Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by Password Cracking Kerberos messages.
T1539 Steal Web Session Cookie An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
T1552 Unsecured Credentials Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).
.001 Credentials In Files Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
.002 Credentials in Registry Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
.003 Bash History Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials.
.004 Private Keys Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
.005 Cloud Instance Metadata API Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
.006 Group Policy Preferences Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.
.007 Container API Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.
.008 Chat Messages Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.