1. Home
  2. Techniques
  3. Enterprise
  4. 未加密凭证

未加密凭证

ID Name
T1552.001 跨进程凭证碎片化重组
T1552.002 凭证窃取日志注入
T1552.003 合法凭证管理工具滥用

未加密凭证是指攻击者通过获取存储在系统明文文件、注册表、内存或应用程序中的敏感认证信息,进而实施横向移动或权限提升的攻击技术。传统防御主要依赖监控敏感文件访问行为(如.bash_history读取)、检测异常进程命令行参数(包含"password"、"cred"等关键词)、以及分析注册表查询模式。缓解措施包括实施全盘加密、限制凭证存储位置访问权限、加强进程行为监控等。

为规避传统检测机制对敏感数据访问行为的识别,攻击者发展出新型凭证窃取匿迹技术,通过内存化操作、日志载体伪装、系统工具滥用等手段,将凭证收集过程深度融入系统正常运维活动,显著降低攻击行为的可观测性。

当前未加密凭证匿迹技术的演进呈现三大特征:一是传输通道的合法化,利用日志系统、管理协议等可信通道实现数据外泄;二是操作行为的白名单化,严格遵循系统组件的标准调用规范以规避异常行为检测。凭证窃取日志注入通过污染审计记录破坏攻击行为追溯链条;合法工具滥用则充分利用系统信任机制,在安全策略盲区内完成凭证收集。技术的共性在于深度解构系统正常运行机制,通过技术组件的正当性组合实现恶意行为的上下文伪装。

匿迹技术的发展导致传统基于文件监控、命令行关键词检测的防御体系面临失效风险。防御方需加强内存保护机制(如LSASS防护)、实施日志完整性验证、建立凭证管理工具的最小权限管控,并构建基于行为链分析的异常凭证访问检测模型,实现对隐蔽窃取行为的多维度感知。

ID: T1552
Sub-techniques:  T1552.001, T1552.002, T1552.003
Tactic: 凭据获取
Platforms: Containers, IaaS, Identity Provider, Linux, Network, Office Suite, SaaS, Windows, macOS
Contributors: Austin Clark, @c2defense
Version: 1.4
Created: 04 February 2020
Last Modified: 14 October 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过模仿系统管理操作特征实现行为伪装。例如使用合法凭证管理工具的标准调用接口,使恶意凭证查询在进程行为、API调用序列等维度与正常运维操作完全一致。这种技术手段使得攻击行为在表面特征层面与白名单操作无法区分。

行为透明

通过滥用系统内置组件和标准协议,攻击者将凭证窃取过程深度嵌入正常的系统管理流程,防御者无法通过观察系统行为来发现攻击者正在获取凭证。通过凭证窃取日志注技术污染审计记录,从而实现攻击痕迹遮蔽。

时空释痕

通过跨设备分布式存储与低频传输策略,将完整的凭证窃取过程拆解为多设备、长周期的碎片化操作。单个设备的碎片存储行为不具备敏感性,低频传输节奏避免触发网络流量阈值告警,时空维度的特征稀释使得传统单点检测机制无法有效识别攻击链条。

Procedure Examples

ID Name Description
S0373 Astaroth

Astaroth uses an external software known as NetPass to recover passwords. [1]
S1111 DarkGate

DarkGate uses NirSoft tools to steal user credentials from the infected machine.[2] NirSoft tools are executed via process hollowing in a newly-created instance of vbc.exe or regasm.exe.
S1131 NPPSPY

NPPSPY captures credentials by recording them through an alternative network listener registered to the mpnotify.exe process, allowing for cleartext recording of logon information.[3]
S1091 Pacu

Pacu can search for sensitive data: for example, in Code Build environment variables, EC2 user data, and Cloud Formation templates.[4]
G1017 Volt Typhoon

Volt Typhoon has obtained credentials insecurely stored on targeted network appliances.[5]

Mitigations

ID Mitigation Description
M1015 Active Directory Configuration

Remove vulnerable Group Policy Preferences.[6]
M1047 Audit

Preemptively search for files containing passwords or other credentials and take actions to reduce the exposure risk when found.
M1041 Encrypt Sensitive Information

When possible, store keys on separate cryptographic hardware instead of on the local system.

M1037 Filter Network Traffic

Limit access to the Instance Metadata API. A properly configured Web Application Firewall (WAF) may help prevent external adversaries from exploiting Server-side Request Forgery (SSRF) attacks that allow access to the Cloud Instance Metadata API.[7]
M1035 Limit Access to Resource Over Network

Limit network access to sensitive services, such as the Instance Metadata API.
M1028 Operating System Configuration

There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands:set +o history and set -o history to start logging again;unset HISTFILE being added to a user's .bash_rc file; andln -s /dev/null ~/.bash_history to write commands to /dev/nullinstead.
M1027 Password Policies

Use strong passphrases for private keys to make cracking difficult. Do not store credentials within the Registry. Establish an organizational policy that prohibits password storage in files.
M1026 Privileged Account Management

If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary.
M1022 Restrict File and Directory Permissions

Restrict file shares to specific directories with access only to necessary users.
M1051 Update Software

Apply patch KB2962486 which prevents credentials from being stored in GPPs.[8][9]
M1017 User Training

Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor application logs for activity that may highlight malicious attempts to access application data, especially abnormal search activity targeting passwords and other artifacts related to credentials.[10]

Analytic 1 - Abnormal search activity targeting passwords and other credential artifacts.

(index=third_party sourcetype IN ("mailserver_logs", "webapp_logs", "appliance_logs") ("search" OR "query" OR "find" OR "grep") ("password" OR "credential" OR "key" OR "secret" OR "token"))
DS0017 Command Command Execution

While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information.

Analytic 1 - Suspicious commands or regular expressions indicating credential search.

(index=security sourcetype="Powershell" EventCode=4104) OR(index=os sourcetype="linux_secure" action="execve") OR(index=os sourcetype="macos_secure" event_type="execve") | where match(CommandLine, "(?i)(password|credential|secret|key|token|login|passwd|passphrase)")
DS0022 File File Access

Monitor for suspicious file access activity, specifically indications that a process is reading multiple files in a short amount of time and/or using command-line arguments indicative of searching for credential material (ex: regex patterns). These may be indicators of automated/scripted credential access behavior. Monitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like cat ~/.bash_history.

Analytic 1 - Multiple file reads in a short period or searching for credential material.

(index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName="password" OR ObjectName="credential") OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetObject="password" OR TargetObject="credential") OR(index=os sourcetype="linux_audit" action="open" filepath IN ("password", "credential", "passwd", "shadow", ".pem", ".key")) OR(index=os sourcetype="macos_secure" event_type="open" file_path IN ("password", "credential", "passwd", "shadow", ".pem", ".key"))
DS0009 Process Process Creation

Monitor newly executed processes that may search compromised systems to find and obtain insecurely stored credentials.

Analytic 1 - New processes with parameters indicating credential searches.

(index=security sourcetype="WinEventLog:Security" EventCode=4688 CommandLine="password" OR CommandLine="credential") OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 CommandLine="password" OR CommandLine="credential") OR(index=os sourcetype="linux_audit" action="execve" CommandLine="password" OR CommandLine="credential") OR(index=os sourcetype="macos_secure" event_type="execve" CommandLine="password" OR CommandLine="credential")
DS0002 User Account User Account Authentication

Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may search compromised systems to find and obtain insecurely stored credentials.

Analytic 1 - Failed or unusual logon attempts using compromised credentials.

(index=security sourcetype="WinEventLog:Security" EventCode IN (4625, 4648)) OR(index=os sourcetype="linux_secure" message="Failed password" OR message="Invalid user") OR(index=os sourcetype="macos_secure" event_type="authentication_failure" OR message="Failed to authenticate user")

DS0024 Windows Registry Windows Registry Key Access

Monitor for unexpected windows registry key being accessed that may search compromised systems to find and obtain insecurely stored credentials.

Analytic 1 - Unauthorized access to registry keys associated with credentials.

index=security sourcetype="WinEventLog:Microsoft-Windows-Security-Auditing" EventCode=4663 ObjectType="Registry" (ObjectName="password" OR ObjectName="credential") | eval AccessAttempt=case( AccessMask="0x1", "Read", AccessMask="0x2", "Write", AccessMask="0x3", "Read/Write", AccessMask="0x4", "Delete", true(), "Unknown")

References

  1. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  2. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  3. Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved May 17, 2024.
  4. Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.
  5. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  1. Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved January 28, 2015.
  2. Higashi, Michael. (2018, May 15). Instance Metadata API: A Modern Day Trojan Horse. Retrieved July 16, 2019.
  3. Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
  4. Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved February 17, 2020.
  5. Slack Help Center. (n.d.). View Access Logs for your workspace. Retrieved April 10, 2023.