Edit

Credential Access (TA0006) Techniques

Credential Access techniques involve adversaries attempting to steal account credentials such as usernames and passwords.

1. T1003 - OS Credential Dumping

Objective: Detect attempts to extract credentials stored on the operating system, such as those in memory, registries, or files.

  1. Detect LSASS Memory Dump

DeviceProcessEvents | where FileName == "procdump.exe" and ProcessCommandLine has "lsass" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the use of tools like procdump.exe to dump the memory of the LSASS process.

  1. Monitor for Mimikatz Execution

DeviceProcessEvents | where ProcessCommandLine has_any ("mimikatz", "sekurlsa::logonpasswords") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the execution of Mimikatz, a tool commonly used for credential dumping.

  1. Identify SAM Registry Hive Extraction

DeviceProcessEvents | where ProcessCommandLine has_any ("reg save", "sam", "SYSTEM") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for attempts to extract the SAM registry hive, which contains password hashes.

  1. Detect NTDS.dit File Access

DeviceFileEvents | where FileName == "NTDS.dit" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Identify access to the NTDS.dit file, which stores Active Directory credentials.

  1. Monitor for Use of Volume Shadow Copy Service (VSS)

DeviceProcessEvents | where ProcessCommandLine has_any ("vssadmin", "shadowcopy", "ntds.dit") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the use of VSS to copy the NTDS.dit file or other sensitive files.

  1. Identify Use of DCSync to Replicate Domain Credentials

Purpose: Monitor for DCSync attacks that attempt to replicate domain credentials from a domain controller.

  1. Detect Use of CrackMapExec

Purpose: Identify the use of CrackMapExec, a tool often used for credential dumping and lateral movement.

  1. Monitor for Unauthorized Access to LSASS

Purpose: Detect unauthorized processes accessing the LSASS process.

  1. Identify Suspicious Registry Reads

Purpose: Monitor for unauthorized registry reads that could indicate credential dumping.

  1. Detect Password Extraction via PowerShell

Purpose: Identify PowerShell commands that attempt to extract or export credentials.

2. T1110 - Brute Force

Objective: Detect attempts to gain unauthorized access to accounts by systematically guessing passwords.

  1. Detect Multiple Failed Logon Attempts

Purpose: Identify accounts experiencing multiple failed logon attempts, which may indicate brute force attempts.

  1. Monitor for Suspicious RDP Logon Failures

Purpose: Detect failed RDP logon attempts that may be part of a brute force attack.

  1. Identify Brute Force Attempts on Service Accounts

Purpose: Monitor for brute force attempts targeting service accounts.

  1. Detect SSH Brute Force Attempts

Purpose: Identify SSH brute force attempts based on denied network sessions.

  1. Monitor for Brute Force Attempts Against Local Admin Accounts

Purpose: Detect brute force attempts targeting the local Administrator account.

  1. Identify Use of Automated Brute Force Tools

Purpose: Monitor for the execution of automated brute force tools.

  1. Detect Unusual Account Lockouts

Purpose: Identify accounts that have been locked out due to repeated failed logon attempts.

  1. Monitor for Failed Logons Across Multiple Devices

Purpose: Detect failed logon attempts occurring across multiple devices, which may indicate distributed brute force attacks.

  1. Identify Unusual Logon Attempts by Non-Admin Accounts

Purpose: Monitor for brute force attempts targeting non-administrative accounts.

  1. Detect Brute Force Attempts on Remote Access Services

Purpose: Identify brute force attempts targeting remote access services such as RDP, SSH, or VPN.

3. T1555 - Credentials from Password Stores

Objective: Detect attempts to access or extract credentials stored in password stores or credential managers.

  1. Detect Access to Windows Credential Manager

Purpose: Identify attempts to access credentials stored in the Windows Credential Manager using cmdkey.

  1. Monitor for Access to the Windows Vault

Purpose: Detect attempts to access files within the Windows Vault directory.

  1. Identify Use of Browsing Data Extraction Tools

Purpose: Monitor for the execution of tools designed to extract credentials from web browsers.

  1. Detect Access to LSA Secrets

Purpose: Identify attempts to dump LSA secrets using tools like secretsdump.py.

  1. Monitor for PowerShell Credential Dumping Commands

Purpose: Detect PowerShell commands attempting to dump or export credentials.

  1. Identify Suspicious Access to Keychain on macOS (if applicable)

Purpose: Monitor for suspicious access to the macOS Keychain, which stores user credentials.

  1. Detect Access to Saved Passwords in Web Browsers

Purpose: Identify attempts to access files associated with saved passwords in web browsers.

  1. Monitor for Unusual Access to DPAPI Master Keys

Purpose: Detect access to DPAPI (Data Protection API) master keys, which are used to protect stored credentials.

  1. Identify Access to Password-Protected Archives

Purpose: Monitor for attempts to access or extract credentials from password-protected archives.

  1. Detect Access to Credential Files in Remote Desktop Clients

Purpose: Identify access to credential files stored by Remote Desktop clients.

4. T1552 - Unsecured Credentials

Objective: Detect attempts to locate or use unsecured credentials, such as plaintext passwords or keys, stored in files or environment variables.

  1. Detect Access to Plaintext Credential Files

Purpose: Identify access to files that may contain plaintext credentials.

  1. Monitor for Environment Variables Containing Credentials

Purpose: Detect commands that access environment variables containing credentials.

  1. Identify Access to SSH Private Keys

Purpose: Monitor for access to SSH private keys that may be stored insecurely.

  1. Detect Access to Cloud Provider Credential Files

Purpose: Identify attempts to access cloud provider credential files.

  1. Monitor for Access to Hardcoded Credentials in Scripts

Purpose: Detect access to scripts that may contain hardcoded credentials.

  1. Identify Use of Commands to Dump Stored Credentials

Purpose: Monitor for the use of commands that could decrypt stored credentials.

  1. Detect Access to Credential Files in Version Control

Purpose: Identify access to credential files stored in version control systems.

  1. Monitor for Access to SQL Connection Strings

9. Identify Download of Publicly Exposed Credential Files

Purpose: Monitor for downloads from URLs that may expose unsecured credentials.

  1. Detect Unencrypted Passwords Stored in Browser Extensions

Purpose: Identify access to browser extensions that may store unencrypted passwords.

5. T1111 - Two-Factor Authentication Interception

Objective: Detect attempts to intercept or bypass two-factor authentication (2FA) mechanisms.

  1. Detect Attempts to Access 2FA Backup Codes

Purpose: Identify attempts to access files containing 2FA backup codes.

  1. Monitor for Unusual 2FA Push Notifications

Purpose: Detect suspicious 2FA push notifications that may indicate interception.

  1. Identify Phishing Attacks Targeting 2FA Credentials

Purpose: Monitor for phishing attempts that target 2FA credentials.

  1. Detect Access to OTP Generator Apps

Purpose: Identify attempts to access or interact with OTP generator apps.

  1. Monitor for Unusual 2FA Verification Requests

Purpose: Detect unusual or repeated 2FA verification requests that may indicate interception attempts.

  1. Identify Attempts to Modify 2FA Settings

Purpose: Monitor for attempts to disable or modify 2FA settings.

  1. Detect Use of Tools for 2FA Interception

Purpose: Identify the use of tools designed to intercept 2FA tokens.

  1. Monitor for Access to 2FA Secret Keys

Purpose: Detect access to files containing 2FA secret keys.

  1. Identify Access to SIM Cards or Mobile Devices

Purpose: Monitor for attempts to intercept 2FA by accessing SIM cards or mobile devices.

  1. Detect Cloning or Reprovisioning of 2FA Devices

Purpose: Identify attempts to clone or reprovision devices used for generating 2FA codes.

6. T1528 - Steal Application Access Token

Objective: Detect attempts to steal or use application access tokens to gain unauthorized access to resources.

  1. Detect Unusual Access to OAuth Tokens

Purpose: Identify attempts to access OAuth tokens stored on the system.

  1. Monitor for Use of Stolen Access Tokens

Purpose: Detect the use of stolen access tokens to authenticate API requests.

  1. Identify Access to Web Browser Session Tokens

Purpose: Monitor for access to files containing web browser session tokens.

  1. Detect Token Injection Attempts

Purpose: Identify attempts to inject stolen tokens into API requests.

  1. Monitor for Access Token Replay Attacks

Purpose: Detect replay of stolen access tokens in API requests.

  1. Identify Unusual Use of JWT Tokens

Purpose: Monitor for suspicious usage of JWT (JSON Web Tokens) which might indicate token theft.

  1. Detect Unauthorized Access to Cloud Provider Tokens

Purpose: Identify unauthorized access to cloud provider tokens stored on the system.

  1. Monitor for Attempts to Export Access Tokens

Purpose: Detect attempts to export or extract access tokens from applications.

  1. Identify Suspicious OAuth Token Refresh Requests

Purpose: Monitor for unusual or repeated OAuth token refresh requests.

  1. Detect Malicious Token Exchange Processes

Purpose: Identify attempts to perform token exchange processes that may be part of an attack.

PreviousDefence Evasion (TA0005) TechniquesNextDiscovery (TA0007) Techniques

Last updated