560 - Use of Known Domain Credentials

Attacks leveraging trusted credentials typically result in the adversary laterally moving within the local network, since users are often allowed to login to systems/applications within the network using the same password. This further allows the adversary to obtain sensitive data, download/install malware on the system, pose as a legitimate user for social engineering purposes, and more.

Attacks on known passwords generally rely on the primary fact that users often reuse the same username/password combination for a variety of systems, applications, and services, coupled with poor password policies on the target system or application. Adversaries can also utilize known passwords to target Single Sign On (SSO) or cloud-based applications and services, which often don't verify the authenticity of the user's input. Known credentials are usually obtained by an adversary via a system/application breach and/or by purchasing dumps of credentials on the dark web. These credentials may be further gleaned via exposed configuration and properties files that contain system passwords, database connection strings, and other sensitive data.

| MITRE ATT&CK | T1078 - Valid Accounts |

Types of Valid Domain Credential Attacks

Remote Services with Stolen Credentials

| MITRE ATT&CK | T1021 - Remote Services T1114.002 - Email Collection: Remote Email Collection T1133 - External Remote Services |

This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.

Credential Stuffing

| MITRE ATT&CK | T1110.004 - Brute Force: Credential Stuffing |

Attacks of this kind often target management services over commonly used ports such as SSH, FTP, Telnet, LDAP, Kerberos, MySQL, and more. Additional targets include Single Sign-On (SSO) or cloud-based applications/services that utilize federated authentication protocols, and externally facing applications.

The primary goal of Credential Stuffing is to achieve lateral movement and gain authenticated access to additional systems, applications, and/or services. A successfully executed Credential Stuffing attack could result in the adversary impersonating the victim or executing any action that the victim is authorized to perform.

Although not technically a brute force attack, Credential Stuffing attacks can function as such if an adversary possess multiple known passwords for the same user account. This may occur in the event where an adversary obtains user credentials from multiple sources or if the adversary obtains a user's password history for an account.

Credential Stuffing attacks are similar to Password Spraying attacks CAPEC-565 regarding their targets and their overall goals. However, Password Spraying attacks do not have any insight into known username/password combinations and instead leverage common or expected passwords. This also means that Password Spraying attacks must avoid inducing account lockouts, which is generally not a worry of Credential Stuffing attacks. Password Spraying attacks may additionally lead to Credential Stuffing attacks, once a successful username/password combination is discovered.

Further information on Credential Stuffing can be found on the OWASP Credential Stuffing page.

Use of Known Kerberos Credentials

| MITRE ATT&CK | T1558 - Steal or Forge Kerberos Tickets |

Kerberos is the default authentication method for Windows domains and is also used across many operating systems. Attacks leveraging trusted Kerberos credentials can result in numerous consequences, depending on what Kerberos credential is stolen. For example, Kerberos service accounts are typically used to run services or scheduled tasks pertaining to authentication. However, these credentials are often weak and never expire, in addition to possessing local or domain administrator privileges. If an adversary is able to acquire these credentials, it could result in lateral movement within the domain or access to any resources the service account is privileged to access, among other things. Ultimately, successful spoofing and impersonation of trusted Kerberos credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application.

Use of Known Operating System Credentials

| MITRE ATT&CK | T1078 - Valid Accounts |

An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.

Techniques

  1. Explore

    • Acquire known credentials: The adversary must obtain known operating system credentials in order to access the target system, application, or service within the domain.

    • An adversary purchases breached operating system username/password combinations or leaked hashed passwords from the dark web.

    • An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.

    • An adversary conducts a sniffing attack to steal operating system credentials as they are transmitted.

    • An adversary gains access to a system/files and exfiltrates password hashes.

    • An adversary examines outward-facing configuration and properties files to discover hardcoded credentials.

    • Determine target's password policy: Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria.

    • Determine minimum and maximum allowed password lengths.

    • Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).

    • Determine account lockout policy (a strict account lockout policy will prevent brute force attacks if multiple passwords are known for a single user account).

  2. Experiment

    • Attempt authentication: Try each operating system credential against various systems, applications, and services within the domain until the target grants access.

    • Manually or automatically enter each credential through the target's interface.

  3. Exploit

    • Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the network

    • Spoofing: Malicious data can be injected into the target system or into other systems on the network. The adversary can also pose as a legitimate user to perform social engineering attacks.

    • Data Exfiltration: The adversary can obtain sensitive data contained within system files or application configuration.

Sources

  1. CAPEC - 560

  2. CAPEC - 555

  3. CAPEC - 600

  4. CAPEC - 652

  5. CAPEC - 553

Previous252 - PHP Local File Inclusion (LFI)Next644 - Use of Captured Hashes (Pass-the-Hash (PtH))

Last updated