AC-2
|
Account Management
| Protects |
T1212
|
Exploitation for Credential Access
|
AC-4
|
Information Flow Enforcement
| Protects |
T1212
|
Exploitation for Credential Access
|
AC-6
|
Least Privilege
| Protects |
T1212
|
Exploitation for Credential Access
|
CA-7
|
Continuous Monitoring
| Protects |
T1212
|
Exploitation for Credential Access
|
CA-8
|
Penetration Testing
| Protects |
T1212
|
Exploitation for Credential Access
|
CM-2
|
Baseline Configuration
| Protects |
T1212
|
Exploitation for Credential Access
|
CM-6
|
Configuration Settings
| Protects |
T1212
|
Exploitation for Credential Access
|
CM-8
|
System Component Inventory
| Protects |
T1212
|
Exploitation for Credential Access
|
RA-10
|
Threat Hunting
| Protects |
T1212
|
Exploitation for Credential Access
|
RA-5
|
Vulnerability Monitoring and Scanning
| Protects |
T1212
|
Exploitation for Credential Access
|
SC-18
|
Mobile Code
| Protects |
T1212
|
Exploitation for Credential Access
|
SC-2
|
Separation of System and User Functionality
| Protects |
T1212
|
Exploitation for Credential Access
|
SC-26
|
Decoys
| Protects |
T1212
|
Exploitation for Credential Access
|
SC-29
|
Heterogeneity
| Protects |
T1212
|
Exploitation for Credential Access
|
SC-3
|
Security Function Isolation
| Protects |
T1212
|
Exploitation for Credential Access
|
SC-30
|
Concealment and Misdirection
| Protects |
T1212
|
Exploitation for Credential Access
|
SC-35
|
External Malicious Code Identification
| Protects |
T1212
|
Exploitation for Credential Access
|
SC-39
|
Process Isolation
| Protects |
T1212
|
Exploitation for Credential Access
|
SC-7
|
Boundary Protection
| Protects |
T1212
|
Exploitation for Credential Access
|
SI-2
|
Flaw Remediation
| Protects |
T1212
|
Exploitation for Credential Access
|
SI-3
|
Malicious Code Protection
| Protects |
T1212
|
Exploitation for Credential Access
|
SI-4
|
System Monitoring
| Protects |
T1212
|
Exploitation for Credential Access
|
SI-5
|
Security Alerts, Advisories, and Directives
| Protects |
T1212
|
Exploitation for Credential Access
|
SI-7
|
Software, Firmware, and Information Integrity
| Protects |
T1212
|
Exploitation for Credential Access
|
CVE-2017-11368
|
n/a
| uncategorized |
T1212
|
Exploitation for Credential Access
|
CVE-2019-11510
|
n/a
| uncategorized |
T1212
|
Exploitation for Credential Access
|
CVE-2014-0751
|
n/a
| uncategorized |
T1212
|
Exploitation for Credential Access
|
CVE-2018-20753
|
n/a
| uncategorized |
T1212
|
Exploitation for Credential Access
|
CVE-2018-13379
|
Fortinet FortiOS, FortiProxy
| uncategorized |
T1212
|
Exploitation for Credential Access
|
CVE-2016-6415
|
n/a
| uncategorized |
T1212
|
Exploitation for Credential Access
|
CVE-2013-5054
|
n/a
| uncategorized |
T1212
|
Exploitation for Credential Access
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1212
|
Exploitation for Credential Access
|
action.hacking.variety.Exploit vuln
|
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties.
| related-to |
T1212
|
Exploitation for Credential Access
|
action.hacking.variety.Session fixation
|
Session fixation. Child of 'Exploit vuln'.
| related-to |
T1212
|
Exploitation for Credential Access
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1212
|
Exploitation for Credential Access
|
action.malware.variety.Exploit vuln
|
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.)
| related-to |
T1212
|
Exploitation for Credential Access
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1212
|
Exploitation for Credential Access
|
action.malware.vector.Web application - drive-by
|
Web via auto-executed or "drive-by" infection. Child of 'Web application'.
| related-to |
T1212
|
Exploitation for Credential Access
|
aws_config
|
AWS Config
| technique_scores |
T1212
|
Exploitation for Credential Access
|
Comments
The "ec2-managedinstance-applications-blacklisted" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The "ec2-managedinstance-platform-check" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one).Both can reduce instances' attack surface for adversary exploitation, including for credential access.
All of these are run on configuration changes. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial.
References
|
amazon_inspector
|
Amazon Inspector
| technique_scores |
T1212
|
Exploitation for Credential Access
|
Comments
Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for "Enable Address Space Layout Randomization (ASLR)" and "Enable Data Execution Prevention (DEP)" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|
aws_security_hub
|
AWS Security Hub
| technique_scores |
T1212
|
Exploitation for Credential Access
|
Comments
AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight.
EC2 instances that have missing security patches for important vulnerabilities
This is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities.
References
|
aws_secrets_manager
|
AWS Secrets Manager
| technique_scores |
T1212
|
Exploitation for Credential Access
|
Comments
This control may protect against exploitation for credential access by removing credentials and secrets from applications that can be exploited and requiring authenticated API calls to retrieve those credentials and secrets.
References
|