T1552.001 · credential-access · 14 actors · 9 correlated reports

Credentials In Files

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. It is possible to extract passwords from backups or saved virtual machines through OS Credential Dumping. Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files. They may also be found as parameters to deployment commands in container logs. In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.

Open detection, hunting, mitigation, and evidence workspace

Detection logic

While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information.

Observed actors

Indrik Spider
G0119 APT3
G0022 Kimsuky
G0094 MuddyWater
G0069 Leafminer
G0077 TeamTNT
G0139 Scattered Spider
G1015 OilRig
G0049 TA505
G0092 RedCurl
G1039 Ember Bear
G1003 Fox Kitten
G0117 APT33
G0064 FIN13
G1016

Correlated CTI and IR reports

APT41 Targeting Pharmaceutical Sector: Log4Shell to Domain Compromise
1200km CTI repository · explicit report mention Attack Playbook — Operation DragonRx
1200km CTI repository · explicit report mention CTI Research: Kubernetes & Cloud-Native Threat Landscape
1200km CTI repository · explicit report mention Operation DragonRx — APT41 Full Attack Simulation
1200km CTI repository · explicit report mention Operation DragonRx: Simulating an APT41 Attack End-to-End — From Log4Shell to DFIR and Malware Analysis
1200km CTI repository · explicit report mention APT41 Targeting Pharmaceutical Sector Log4Shell to Domain Compromise
1200km Medium · authored report mention Attack Playbook Operation DragonRx
1200km Medium · authored report mention CTI Research Kubernetes Cloud Native Threat Landscape
1200km Medium · authored report mention Operation DragonRx Simulating an APT41 Attack End to End From Log4Shell to DFIR and Malware
1200km Medium · authored report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research