凭据访问漏洞利用是指攻击者通过利用软件漏洞或协议缺陷,非法获取系统凭证或绕过身份验证机制的技术手段。典型攻击方式包括Kerberos票证伪造、认证协议重放攻击、内存凭证提取等,目标是通过获取有效凭证实现横向移动和权限提升。防御方通常采用漏洞补丁管理、多因素认证部署、内存保护机制(如Credential Guard)以及网络流量深度分析等手段进行防护。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ✅ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过协议级仿真和API调用伪装,将漏洞利用流量与合法业务流深度融合。例如将Kerberos票证伪造攻击封装在正常的域认证流量中,或通过云平台合规API获取临时凭证,使得攻击行为在协议特征和交互模式上与正常操作无法区分。
利用零日漏洞(如未公开的云元数据服务漏洞)和内存操作隐蔽性实施攻击,传统基于已知特征库的检测手段无法有效识别。例如通过无文件攻击提取LSASS内存凭证,全程不触发磁盘写操作告警。
采用HTTPS加密传输漏洞利用载荷、内存数据流加密回传等技术,阻止防御方解析攻击内容。云元数据滥用攻击中,临时凭证通过TLS加密通道传输,有效隐藏敏感信息。
通过低频凭证重放、分布式漏洞触发等策略稀释攻击特征。例如在跨国云环境中轮换不同区域的实例发起元数据查询,将单次攻击行为分散到多个地理节点和长时间周期。
| ID | Mitigation | Description |
|---|---|---|
| M1013 | Application Developer Guidance |
Application developers should consider taking measures to validate authentication requests by enabling one-time passwords, providing timestamps or sequence numbers for messages sent, using digital signatures, and/or using random session keys.[1][2] |
| M1048 | Application Isolation and Sandboxing |
Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist.[3] |
| M1050 | Exploit Protection |
Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior.[4] Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring.[5] Many of these protections depend on the architecture and target application binary for compatibility and may not work for software targeted for defense evasion. |
| M1019 | Threat Intelligence Program |
Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. |
| M1051 | Update Software |
Update software regularly by employing patch management for internal enterprise endpoints and servers. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content |
Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. |
| DS0009 | Process | Process Creation |
Monitor for newly executed processes that may indicate attempts to exploit vulnerabilities for credential access. Analytic 1 - Unexpected process creation related to exploitation tools or techniques.
|
| DS0002 | User Account | User Account Authentication |
Credential resources obtained through exploitation may be detectable in use if they are not normally used or seen. Analytic 1 - High number of failed authentication attempts or unusual logon patterns.
|