Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| artifact_registry | Artifact Registry | technique_scores | T1212 | Exploitation for Credential Access |
Comments
Once this control is deployed, it can detect known OS package vulnerabilities in various Linux OS packages that could be used to escalate privileges and execute adversary-controlled code (e.g., Debian, Ubuntu, Alpine, RHEL, CentOS, National Vulnerability Database)
References
|
| chronicle | Chronicle | technique_scores | T1212 | Exploitation for Credential Access |
Comments
Chronicle triggers alerts based on credential exploit attempts (e.g., read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear-text)).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/webserver/cve_2018_13379_fortigate_ssl_vpn_arbitrary_file_reading.yaral
References
|
| policy_intelligence | Policy Intelligence | technique_scores | T1212 | Exploitation for Credential Access |
Comments
IAM Recommender helps admins remove unwanted access to GCP resources by using machine learning to make smart access control recommendations. With Recommender, security teams can automatically detect overly permissive access and rightsize them based on similar users in the organization and their access patterns. This control may mitigate adversaries that try to perform privilege escalation via permission levels and software exploitation.
References
|
| vmmanager | VMManager | technique_scores | T1212 | Exploitation for Credential Access |
Comments
VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.
References
|
| container_registry | Container Registry | technique_scores | T1212 | Exploitation for Credential Access |
Comments
Once this control is deployed, it can detect known vulnerabilities in various OS packages that could be used to escalate privileges and execute adversary-controlled code (e.g., Debian, Ubuntu, Alpine, RHEL, CentOS, National Vulnerability Database). Due to the medium threat detection coverage and temporal factor, the control was scored as partial.
References
|