Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1212 | Exploitation for Credential Access |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
| azure_automation_update_management | Azure Automation Update Management | technique_scores | T1212 | Exploitation for Credential Access |
Comments
This control provides significant coverage of credential access techniques that leverage unpatched software vulnerabilities since it enables automated updates of software and rapid configuration change management.
References
|
| azure_policy | Azure Policy | technique_scores | T1212 | Exploitation for Credential Access |
Comments
This control may provide recommendations for vulnerability assessment and outdated applications and cloud services. This control covers a wide range of Azure cloud services to help reduce the surface area for exploitation.
References
|
| azure_defender_for_app_service | Azure Defender for App Service | technique_scores | T1212 | Exploitation for Credential Access |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate.
References
|
| integrated_vulnerability_scanner_powered_by_qualys | Integrated Vulnerability Scanner Powered by Qualys | technique_scores | T1212 | Exploitation for Credential Access |
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|