Credential Access (TA0006) Techniques

Credential Access techniques involve adversaries attempting to steal account credentials such as usernames and passwords.

1. T1003 - OS Credential Dumping

Objective: Detect attempts to extract credentials stored on the operating system, such as those in memory, registries, or files.

1. Detect LSASS Memory Dump

DeviceProcessEvents | where FileName == "procdump.exe" and ProcessCommandLine has "lsass" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the use of tools like procdump.exe to dump the memory of the LSASS process.

1. Monitor for Mimikatz Execution

DeviceProcessEvents | where ProcessCommandLine has_any ("mimikatz", "sekurlsa::logonpasswords") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the execution of Mimikatz, a tool commonly used for credential dumping.

1. Identify SAM Registry Hive Extraction

DeviceProcessEvents | where ProcessCommandLine has_any ("reg save", "sam", "SYSTEM") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for attempts to extract the SAM registry hive, which contains password hashes.

1. Detect NTDS.dit File Access

DeviceFileEvents | where FileName == "NTDS.dit" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Identify access to the NTDS.dit file, which stores Active Directory credentials.

1. Monitor for Use of Volume Shadow Copy Service (VSS)

DeviceProcessEvents | where ProcessCommandLine has_any ("vssadmin", "shadowcopy", "ntds.dit") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the use of VSS to copy the NTDS.dit file or other sensitive files.

1. Identify Use of DCSync to Replicate Domain Credentials

DeviceProcessEvents | where ProcessCommandLine has "dcsync" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for DCSync attacks that attempt to replicate domain credentials from a domain controller.

1. Detect Use of CrackMapExec

DeviceProcessEvents | where ProcessCommandLine has "CrackMapExec" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the use of CrackMapExec, a tool often used for credential dumping and lateral movement.

1. Monitor for Unauthorized Access to LSASS

DeviceProcessEvents | where FileName == "lsass.exe" and InitiatingProcessCommandLine has_any ("mimikatz", "procdump", "taskmgr", "process hacker") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect unauthorized processes accessing the LSASS process.

1. Identify Suspicious Registry Reads

DeviceRegistryEvents | where RegistryKey has_any ("HKLM\\SAM", "HKLM\\SYSTEM") and InitiatingProcessFileName != "services.exe" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, InitiatingProcessAccountName

Purpose: Monitor for unauthorized registry reads that could indicate credential dumping.

1. Detect Password Extraction via PowerShell

DeviceProcessEvents | where ProcessCommandLine has "powershell" and ProcessCommandLine has_any ("Get-ADReplAccount", "Get-Credential", "Export-Credential") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify PowerShell commands that attempt to extract or export credentials.

2. T1110 - Brute Force

Objective: Detect attempts to gain unauthorized access to accounts by systematically guessing passwords.

1. Detect Multiple Failed Logon Attempts

IdentityLogonEvents | where LogonResult == "Failed" | summarize FailedAttempts = count() by AccountName, DeviceName | where FailedAttempts > 10 | project Timestamp, AccountName, DeviceName, FailedAttempts

Purpose: Identify accounts experiencing multiple failed logon attempts, which may indicate brute force attempts.

1. Monitor for Suspicious RDP Logon Failures

IdentityLogonEvents | where LogonType == "RemoteInteractive" and LogonResult == "Failed" | summarize FailedAttempts = count() by AccountName, DeviceName | where FailedAttempts > 5 | project Timestamp, AccountName, DeviceName, FailedAttempts

Purpose: Detect failed RDP logon attempts that may be part of a brute force attack.

1. Identify Brute Force Attempts on Service Accounts

IdentityLogonEvents | where AccountName startswith "svc_" and LogonResult == "Failed" | summarize FailedAttempts = count() by AccountName, DeviceName | where FailedAttempts > 5 | project Timestamp, AccountName, DeviceName, FailedAttempts`

Purpose: Monitor for brute force attempts targeting service accounts.

1. Detect SSH Brute Force Attempts

DeviceNetworkEvents | where RemotePort == 22 and ActionType == "NetworkSessionDenied" | summarize FailedAttempts = count() by RemoteIP, DeviceName | where FailedAttempts > 10 | project Timestamp, RemoteIP, DeviceName, FailedAttempts

Purpose: Identify SSH brute force attempts based on denied network sessions.

1. Monitor for Brute Force Attempts Against Local Admin Accounts

IdentityLogonEvents | where AccountName == "Administrator" and LogonResult == "Failed" | summarize FailedAttempts = count() by AccountName, DeviceName | where FailedAttempts > 3 | project Timestamp, AccountName, DeviceName, FailedAttempts

Purpose: Detect brute force attempts targeting the local Administrator account.

1. Identify Use of Automated Brute Force Tools

DeviceProcessEvents | where ProcessCommandLine has_any ("Hydra", "Medusa", "Ncrack") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for the execution of automated brute force tools.

1. Detect Unusual Account Lockouts

IdentityLogonEvents | where LogonResult == "AccountLocked" | summarize LockoutCount = count() by AccountName, DeviceName | where LockoutCount > 1 | project Timestamp, AccountName, DeviceName, LockoutCount

Purpose: Identify accounts that have been locked out due to repeated failed logon attempts.

1. Monitor for Failed Logons Across Multiple Devices

IdentityLogonEvents | where LogonResult == "Failed" | summarize FailedAttempts = count() by AccountName | where FailedAttempts > 10 | project Timestamp, AccountName, FailedAttempts

Purpose: Detect failed logon attempts occurring across multiple devices, which may indicate distributed brute force attacks.

1. Identify Unusual Logon Attempts by Non-Admin Accounts

IdentityLogonEvents | where AccountName has_not_any ("admin", "administrator") and LogonResult == "Failed" | summarize FailedAttempts = count() by AccountName, DeviceName | where FailedAttempts > 5 | project Timestamp, AccountName, DeviceName, FailedAttempts

Purpose: Monitor for brute force attempts targeting non-administrative accounts.

1. Detect Brute Force Attempts on Remote Access Services

DeviceNetworkEvents | where RemotePort in (3389, 22, 443) and ActionType == "NetworkSessionDenied" | summarize FailedAttempts = count() by RemoteIP, DeviceName | where FailedAttempts > 10 | project Timestamp, RemoteIP, DeviceName, FailedAttempts

Purpose: Identify brute force attempts targeting remote access services such as RDP, SSH, or VPN.

3. T1555 - Credentials from Password Stores

Objective: Detect attempts to access or extract credentials stored in password stores or credential managers.

1. Detect Access to Windows Credential Manager

DeviceProcessEvents | where ProcessCommandLine has "cmdkey" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify attempts to access credentials stored in the Windows Credential Manager using cmdkey.

1. Monitor for Access to the Windows Vault

DeviceFileEvents | where FolderPath has "C:\\Users\\%USERNAME%\\AppData\\Local\\Microsoft\\Vault" and FileOperation == "Read" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Detect attempts to access files within the Windows Vault directory.

1. Identify Use of Browsing Data Extraction Tools

DeviceProcessEvents | where ProcessCommandLine has_any ("WebBrowserPassView", "ChromePass", "FirefoxDecrypt") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for the execution of tools designed to extract credentials from web browsers.

1. Detect Access to LSA Secrets

DeviceProcessEvents | where ProcessCommandLine has "secretsdump.py" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify attempts to dump LSA secrets using tools like secretsdump.py.

1. Monitor for PowerShell Credential Dumping Commands

DeviceProcessEvents | where ProcessCommandLine has "powershell" and ProcessCommandLine has_any ("Get-Credential", "Export-Credential") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect PowerShell commands attempting to dump or export credentials.

1. Identify Suspicious Access to Keychain on macOS (if applicable)

DeviceProcessEvents | where ProcessCommandLine has "security find-generic-password" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for suspicious access to the macOS Keychain, which stores user credentials.

1. Detect Access to Saved Passwords in Web Browsers

DeviceFileEvents | where FolderPath has_any ("\\AppData\\Local\\Google\\Chrome\\User Data", "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") and FileOperation == "Read" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Identify attempts to access files associated with saved passwords in web browsers.

1. Monitor for Unusual Access to DPAPI Master Keys

DeviceFileEvents | where FolderPath has "C:\\Users\\%USERNAME%\\AppData\\Roaming\\Microsoft\\Protect" and FileOperation == "Read" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Detect access to DPAPI (Data Protection API) master keys, which are used to protect stored credentials.

1. Identify Access to Password-Protected Archives

DeviceFileEvents | where FileExtension in (".zip", ".rar", ".7z") and ProcessCommandLine has "password" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Monitor for attempts to access or extract credentials from password-protected archives.

1. Detect Access to Credential Files in Remote Desktop Clients

DeviceFileEvents | where FolderPath has "C:\\Users\\%USERNAME%\\AppData\\Local\\Microsoft\\Remote Desktop" and FileOperation == "Read" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Identify access to credential files stored by Remote Desktop clients.

4. T1552 - Unsecured Credentials

Objective: Detect attempts to locate or use unsecured credentials, such as plaintext passwords or keys, stored in files or environment variables.

1. Detect Access to Plaintext Credential Files

DeviceFileEvents | where FileExtension in (".txt", ".log", ".conf", ".ini") and FileName has_any ("password", "credentials", "creds") | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Identify access to files that may contain plaintext credentials.

1. Monitor for Environment Variables Containing Credentials

DeviceProcessEvents | where ProcessCommandLine has_any ("$env:AWS_SECRET_ACCESS_KEY", "$env:AZURE_CLIENT_SECRET") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect commands that access environment variables containing credentials.

1. Identify Access to SSH Private Keys

DeviceFileEvents | where FileExtension == ".pem" or FileName contains "id_rsa" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Monitor for access to SSH private keys that may be stored insecurely.

1. Detect Access to Cloud Provider Credential Files

DeviceFileEvents | where FileName has_any ("aws_credentials", "azure_credentials", "gcloud_credentials.json") | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Identify attempts to access cloud provider credential files.

1. Monitor for Access to Hardcoded Credentials in Scripts

DeviceFileEvents | where FileExtension in (".ps1", ".sh", ".bat") and FileContent contains "password" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Detect access to scripts that may contain hardcoded credentials.

1. Identify Use of Commands to Dump Stored Credentials

DeviceProcessEvents | where ProcessCommandLine has_any ("gpg --decrypt", "openssl rsa") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for the use of commands that could decrypt stored credentials.

1. Detect Access to Credential Files in Version Control

DeviceFileEvents | where FolderPath has_any (".git", ".svn") and FileName contains "credentials" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Identify access to credential files stored in version control systems.

1. Monitor for Access to SQL Connection Strings

DeviceFileEvents | where FileExtension in (".config", ".json", ".xml") and FileContent contains "ConnectionString" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

_Purpose_: Detect access to configuration files that may contain SQL connection strings with embedded credentials.

9. Identify Download of Publicly Exposed Credential Files

DeviceNetworkEvents | where RemoteUrl contains "/secrets/" or "/credentials/" | project Timestamp, DeviceName, RemoteUrl, InitiatingProcessAccountName

Purpose: Monitor for downloads from URLs that may expose unsecured credentials.

1. Detect Unencrypted Passwords Stored in Browser Extensions

DeviceFileEvents | where FolderPath has_any ("Chrome\\Extensions", "Firefox\\Profiles") and FileContent contains "password" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Identify access to browser extensions that may store unencrypted passwords.

5. T1111 - Two-Factor Authentication Interception

Objective: Detect attempts to intercept or bypass two-factor authentication (2FA) mechanisms.

1. Detect Attempts to Access 2FA Backup Codes

DeviceFileEvents | where FileName has "2fa_backup_codes" and FileOperation == "Read" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Identify attempts to access files containing 2FA backup codes.

1. Monitor for Unusual 2FA Push Notifications

DeviceNetworkEvents | where RemoteIP has_any ("authy.com", "duosecurity.com", "google.com") and RequestMethod == "POST" | project Timestamp, DeviceName, RemoteIP, RequestMethod, InitiatingProcessAccountName

Purpose: Detect suspicious 2FA push notifications that may indicate interception.

1. Identify Phishing Attacks Targeting 2FA Credentials

DeviceNetworkEvents | where RemoteUrl has_any ("2fa", "auth", "otp") and RequestMethod == "POST" | project Timestamp, DeviceName, RemoteUrl, InitiatingProcessAccountName

Purpose: Monitor for phishing attempts that target 2FA credentials.

1. Detect Access to OTP Generator Apps

DeviceProcessEvents | where ProcessCommandLine has_any ("Google Authenticator", "Authy", "Microsoft Authenticator") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify attempts to access or interact with OTP generator apps.

1. Monitor for Unusual 2FA Verification Requests

DeviceNetworkEvents | where RemoteIP in ("216.58.0.0/16", "23.45.0.0/16") and RequestMethod == "POST" | project Timestamp, DeviceName, RemoteIP, RequestMethod, InitiatingProcessAccountName

Purpose: Detect unusual or repeated 2FA verification requests that may indicate interception attempts.

1. Identify Attempts to Modify 2FA Settings

DeviceProcessEvents | where ProcessCommandLine has_any ("disable_2fa", "remove_otp", "change_auth_method") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for attempts to disable or modify 2FA settings.

1. Detect Use of Tools for 2FA Interception

DeviceProcessEvents | where ProcessCommandLine has_any ("evilginx", "Modlishka", "man-in-the-middle") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the use of tools designed to intercept 2FA tokens.

1. Monitor for Access to 2FA Secret Keys

DeviceFileEvents | where FileName contains "otp_secret" and FileOperation == "Read" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Detect access to files containing 2FA secret keys.

1. Identify Access to SIM Cards or Mobile Devices

DeviceProcessEvents | where ProcessCommandLine has_any ("SIM", "phone", "mobile device") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for attempts to intercept 2FA by accessing SIM cards or mobile devices.

1. Detect Cloning or Reprovisioning of 2FA Devices

DeviceProcessEvents | where ProcessCommandLine has_any ("clone_device", "reprovision", "generate_otp") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify attempts to clone or reprovision devices used for generating 2FA codes.

6. T1528 - Steal Application Access Token

Objective: Detect attempts to steal or use application access tokens to gain unauthorized access to resources.

1. Detect Unusual Access to OAuth Tokens

DeviceFileEvents | where FileName contains "oauth" and FileOperation == "Read" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Identify attempts to access OAuth tokens stored on the system.

1. Monitor for Use of Stolen Access Tokens

DeviceNetworkEvents | where RemoteUrl has_any ("token", "access_token") and RequestMethod == "POST" | project Timestamp, DeviceName, RemoteUrl, InitiatingProcessAccountName

Purpose: Detect the use of stolen access tokens to authenticate API requests.

1. Identify Access to Web Browser Session Tokens

DeviceFileEvents | where FolderPath has_any ("\\AppData\\Local\\Google\\Chrome\\User Data", "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") and FileName contains "session" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Monitor for access to files containing web browser session tokens.

1. Detect Token Injection Attempts

DeviceProcessEvents | where ProcessCommandLine has "Invoke-RestMethod" and ProcessCommandLine has "Authorization: Bearer" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify attempts to inject stolen tokens into API requests.

1. Monitor for Access Token Replay Attacks

DeviceNetworkEvents | where RemoteUrl has "api" and RequestHeaders contains "Authorization: Bearer" | project Timestamp, DeviceName, RemoteUrl, RequestHeaders, InitiatingProcessAccountName

Purpose: Detect replay of stolen access tokens in API requests.

1. Identify Unusual Use of JWT Tokens

DeviceProcessEvents | where ProcessCommandLine has "jwt" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for suspicious usage of JWT (JSON Web Tokens) which might indicate token theft.

1. Detect Unauthorized Access to Cloud Provider Tokens

DeviceFileEvents | where FileName has_any ("gcloud", "aws", "azure") and FileOperation == "Read" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Identify unauthorized access to cloud provider tokens stored on the system.

1. Monitor for Attempts to Export Access Tokens

DeviceProcessEvents | where ProcessCommandLine has_any ("export_token", "extract_token") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect attempts to export or extract access tokens from applications.

1. Identify Suspicious OAuth Token Refresh Requests

DeviceNetworkEvents | where RemoteUrl has "refresh_token" and RequestMethod == "POST" | project Timestamp, DeviceName, RemoteUrl, InitiatingProcessAccountName

Purpose: Monitor for unusual or repeated OAuth token refresh requests.

1. Detect Malicious Token Exchange Processes

DeviceProcessEvents | where ProcessCommandLine has_any ("token_exchange", "exchange_token") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify attempts to perform token exchange processes that may be part of an attack.