Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Менеджеры паролей
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Менеджеры паролей
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Credentials from Password Stores:  Менеджеры паролей

ID Название
.001 Связка ключей
.002 Память securityd
.003 Учетные данные из браузеров
.004 Диспетчер учетных данных Windows
.005 Менеджеры паролей

Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019) Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via Exploitation for Credential Access.(Citation: NVD CVE-2019-3610) Adversaries may also try brute forcing via Password Guessing to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)

ID: T1555.005
Относится к технике:  T1555
Тактика(-и): Credential Access
Платформы: Linux, macOS, Windows
Требуемые разрешения: User
Источники данных: Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Access
Версия: 1.0
Дата создания: 22 Jan 2021
Последнее изменение: 25 Mar 2022

Примеры процедур
Название Описание

During Operation Wocao, threat actors accessed and collected credentials from password managers.(Citation: FoxIT Wocao December 2019)
Threat Group-3390

Threat Group-3390 obtained a KeePass database from a compromised host.(Citation: Trend Micro DRBControl February 2020)
Fox Kitten

Fox Kitten has used scripts to access credential information from the KeePass database.(Citation: CISA AA20-259A Iran-Based Actor September 2020)
MarkiRAT

MarkiRAT can gather information from the Keepass password manager.(Citation: Kaspersky Ferocious Kitten Jun 2021)

Proton

Proton gathers credentials in files for 1password.(Citation: objsee mac malware 2017)
TrickBot

TrickBot can steal passwords from the KeePass open source password manager.(Citation: Cyberreason Anchor December 2019)
Operation Wocao

Operation Wocao has accessed and collected credentials from password managers.(Citation: FoxIT Wocao December 2019)

Контрмеры
Контрмера Описание
Update Software

Perform regular software updates to mitigate exploitation risk.
Software Configuration

Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.
Password Policies

Set and enforce secure password policies for accounts.

Обнаружение

Consider monitoring API calls, file read events, and processes for suspicious activity that could indicate searching in process memory of password managers. Consider monitoring file reads surrounding known password manager applications.

Ссылки

  1. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  2. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  3. National Vulnerability Database. (2019, October 9). CVE-2019-3610 Detail. Retrieved April 14, 2021.
  4. Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8, 2021.
  5. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  6. ise. (2019, February 19). Password Managers: Under the Hood of Secrets Management. Retrieved January 22, 2021.
  7. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  8. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  9. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  10. Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019.
  11. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.