Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-16 | Authorization Mechanisms | mitigates | T1555 | Credentials from Password Stores |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| IAM-15 | Passwords Management | mitigates | T1555 | Credentials from Password Stores |
Comments
This control requires both CSP and CSC to independently enforce strong password management practices to protect authentication credentials and reduce the risk of unauthorized access. For example, credential access protection mitigation focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access.
References
|
| IAM-06 | User Access Provisioning | mitigates | T1555 | Credentials from Password Stores |
Comments
This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.
References
|
| IAM-07 | User Access Changes and Revocation | mitigates | T1555 | Credentials from Password Stores |
Comments
This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1555.005 | Password Managers | 3 |
| T1555.003 | Credentials from Web Browsers | 1 |
| T1555.006 | Cloud Secrets Management Stores | 6 |