Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.
Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via Phishing for Information. Adversaries may also compromise sites then add malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: Search Engines, breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Finally, where multi-factor authentication (MFA) based on out-of-band communications is in use, adversaries may compromise a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)
Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Compromise Accounts), and/or initial access (ex: External Remote Services or Valid Accounts).
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-ptt | Intel Platform Trust Technology | Win 11, Credential Guard | T1589.001 | Credentials |
Comments
Credential Guard uses Intel VT-x for providing Virtualization-based security (VBS), to isolate secrets so that only privileged system software can access them. It isolates LSA-related processes and provides real-time protection against in-memory credential-stealing attempts. NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot (Intel PTT and Intel Boot Guard) and virtualization, to protect credentials.
Credential Guard prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications such as domain credentials. However, it does not protect against all forms of credential dumping, such as registry dumping. Credential Guard benefits from enabling Secure Boot (BootGuard) and UEFI Lock. When Secure Boot is enabled, a secure and verified environment is established from the start of the boot process. With UEFI Lock, Credential Guard settings are stored in UEFI firmware, significantly increasing the difficulty of disabling Credential Guard through registry changes.
This is marked as partial since it uses VBS to isolate LSA related processes and provides some protection against in-memory credential stealing attempts.
References
|