Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Незащищенные учетные данные
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Незащищенные учетные данные
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Незащищенные учетные данные

ID Name
.001 Учетные данные в файлах
.002 Учетные данные в реестре
.003 История команд bash
.004 Закрытые ключи
.005 API метаданных облачных экземпляров
.006 Параметры групповой политики
.007 API Контейнер

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).

ID: T1552
Суб-техники:  .001 .002 .003 .004 .005 .006 .007
Тактика(-и): Credential Access
Платформы: Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Требуемые разрешения: Administrator, SYSTEM, User
Источники данных: Command: Command Execution, File: File Access, Process: Process Creation, User Account: User Account Authentication, Windows Registry: Windows Registry Key Access
Версия: 1.2
Дата создания: 04 Feb 2020
Последнее изменение: 01 Apr 2022

Примеры процедур
Название Описание
Astaroth

Astaroth uses an external software known as NetPass to recover passwords. (Citation: Cybereason Astaroth Feb 2019)

Контрмеры
Контрмера Описание
Encrypt Sensitive Information

Protect sensitive information with strong encryption.
Update Software

Perform regular software updates to mitigate exploitation risk.
User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.
Active Directory Configuration

Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.
Password Policies

Set and enforce secure password policies for accounts.
Operating System Configuration

Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.
Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.
Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.
Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Обнаружение

While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information. Monitor for suspicious file access activity, specifically indications that a process is reading multiple files in a short amount of time and/or using command-line arguments indicative of searching for credential material (ex: regex patterns). These may be indicators of automated/scripted credential access behavior. Monitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like cat ~/.bash_history. Additionally, monitor processes for applications that can be used to query the Registry, such as Reg, and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.

Ссылки

  1. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  2. Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved February 17, 2020.
  3. Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
  4. Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved January 28, 2015.
  5. Higashi, Michael. (2018, May 15). Instance Metadata API: A Modern Day Trojan Horse. Retrieved July 16, 2019.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.