Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.
Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain authenticated access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don't properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.(Citation: Bugcrowd Replay Attack)(Citation: Comparitech Replay Attack)(Citation: Microsoft Midnight Blizzard Replay Attack)
Such exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.(Citation: Storm-0558 techniques for unauthorized email access)
Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Exploit misconfig | Exploit a misconfiguration (vs vuln or weakness) | related-to | T1212 | Exploitation for Credential Access | |
| action.hacking.variety.Exploit vuln | Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. | related-to | T1212 | Exploitation for Credential Access | |
| action.hacking.variety.Session fixation | Session fixation. Child of 'Exploit vuln'. | related-to | T1212 | Exploitation for Credential Access | |
| action.malware.variety.Disable controls | Disable or interfere with security controls | related-to | T1212 | Exploitation for Credential Access | |
| action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1212 | Exploitation for Credential Access | |
| action.malware.vector.Web application - drive-by | Web via auto-executed or "drive-by" infection. Child of 'Web application'. | related-to | T1212 | Exploitation for Credential Access | |
| attribute.confidentiality.data_disclosure | None | related-to | T1212 | Exploitation for Credential Access | |
| amazon_inspector | Amazon Inspector | technique_scores | T1212 | Exploitation for Credential Access |
Comments
Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for "Enable Address Space Layout Randomization (ASLR)" and "Enable Data Execution Prevention (DEP)" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|
| aws_config | AWS Config | technique_scores | T1212 | Exploitation for Credential Access |
Comments
The "ec2-managedinstance-applications-blacklisted" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The "ec2-managedinstance-platform-check" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one).Both can reduce instances' attack surface for adversary exploitation, including for credential access.
All of these are run on configuration changes. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial.
References
|
| aws_secrets_manager | AWS Secrets Manager | technique_scores | T1212 | Exploitation for Credential Access |
Comments
This control may protect against exploitation for credential access by removing credentials and secrets from applications that can be exploited and requiring authenticated API calls to retrieve those credentials and secrets.
References
|
| aws_security_hub | AWS Security Hub | technique_scores | T1212 | Exploitation for Credential Access |
Comments
AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight.
EC2 instances that have missing security patches for important vulnerabilities
This is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities.
References
|