T1212 Exploitation for Credential Access Mappings

Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1212 Exploitation for Credential Access
AC-4 Information Flow Enforcement Protects T1212 Exploitation for Credential Access
AC-6 Least Privilege Protects T1212 Exploitation for Credential Access
CA-7 Continuous Monitoring Protects T1212 Exploitation for Credential Access
CA-8 Penetration Testing Protects T1212 Exploitation for Credential Access
CM-2 Baseline Configuration Protects T1212 Exploitation for Credential Access
CM-6 Configuration Settings Protects T1212 Exploitation for Credential Access
CM-8 System Component Inventory Protects T1212 Exploitation for Credential Access
RA-10 Threat Hunting Protects T1212 Exploitation for Credential Access
RA-5 Vulnerability Monitoring and Scanning Protects T1212 Exploitation for Credential Access
SC-18 Mobile Code Protects T1212 Exploitation for Credential Access
SC-2 Separation of System and User Functionality Protects T1212 Exploitation for Credential Access
SC-26 Decoys Protects T1212 Exploitation for Credential Access
SC-29 Heterogeneity Protects T1212 Exploitation for Credential Access
SC-3 Security Function Isolation Protects T1212 Exploitation for Credential Access
SC-30 Concealment and Misdirection Protects T1212 Exploitation for Credential Access
SC-35 External Malicious Code Identification Protects T1212 Exploitation for Credential Access
SC-39 Process Isolation Protects T1212 Exploitation for Credential Access
SC-7 Boundary Protection Protects T1212 Exploitation for Credential Access
SI-2 Flaw Remediation Protects T1212 Exploitation for Credential Access
SI-3 Malicious Code Protection Protects T1212 Exploitation for Credential Access
SI-4 System Monitoring Protects T1212 Exploitation for Credential Access
SI-5 Security Alerts, Advisories, and Directives Protects T1212 Exploitation for Credential Access
SI-7 Software, Firmware, and Information Integrity Protects T1212 Exploitation for Credential Access
CVE-2017-11368 n/a uncategorized T1212 Exploitation for Credential Access
CVE-2019-11510 n/a uncategorized T1212 Exploitation for Credential Access
CVE-2014-0751 n/a uncategorized T1212 Exploitation for Credential Access
CVE-2018-20753 n/a uncategorized T1212 Exploitation for Credential Access
CVE-2018-13379 Fortinet FortiOS, FortiProxy uncategorized T1212 Exploitation for Credential Access
CVE-2016-6415 n/a uncategorized T1212 Exploitation for Credential Access
CVE-2013-5054 n/a uncategorized T1212 Exploitation for Credential Access
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1212 Exploitation for Credential Access
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1212 Exploitation for Credential Access
action.hacking.variety.Session fixation Session fixation. Child of 'Exploit vuln'. related-to T1212 Exploitation for Credential Access
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1212 Exploitation for Credential Access
action.malware.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) related-to T1212 Exploitation for Credential Access
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1212 Exploitation for Credential Access
action.malware.vector.Web application - drive-by Web via auto-executed or "drive-by" infection. Child of 'Web application'. related-to T1212 Exploitation for Credential Access
aws_config AWS Config technique_scores T1212 Exploitation for Credential Access
Comments
The "ec2-managedinstance-applications-blacklisted" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The "ec2-managedinstance-platform-check" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one).Both can reduce instances' attack surface for adversary exploitation, including for credential access. All of these are run on configuration changes. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial.
References
amazon_inspector Amazon Inspector technique_scores T1212 Exploitation for Credential Access
Comments
Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for "Enable Address Space Layout Randomization (ASLR)" and "Enable Data Execution Prevention (DEP)" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
aws_security_hub AWS Security Hub technique_scores T1212 Exploitation for Credential Access
Comments
AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight. EC2 instances that have missing security patches for important vulnerabilities This is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities.
References
aws_secrets_manager AWS Secrets Manager technique_scores T1212 Exploitation for Credential Access
Comments
This control may protect against exploitation for credential access by removing credentials and secrets from applications that can be exploited and requiring authenticated API calls to retrieve those credentials and secrets.
References