Credentials from Password Stores

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

ID: T1555
Platforms: Linux, Windows, macOS
Permissions Required: Administrator
Version: 1.0
Created: 11 February 2020
Last Modified: 01 April 2022

Procedure Examples

ID Name Description
S0331 Agent Tesla

Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles.[1]

G0016 APT29

APT29 used account credentials they obtained to attempt access to Group Managed Service Account (gMSA) passwords.[2]

G0064 APT33

APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[3][4]

G0087 APT39

APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords.[5]

S0373 Astaroth

Astaroth uses an external software known as NetPass to recover passwords. [6]

S0484 Carberp

Carberp's passw.plug plugin can gather account information from multiple instant messaging, email, and social media services, as well as FTP, VNC, and VPN clients.[7]

S0050 CosmicDuke

CosmicDuke collects user credentials, including passwords, for various programs including popular instant messaging applications and email clients as well as WLAN keys.[8]

G0120 Evilnum

Evilnum can collect email credentials from victims.[9]

G0037 FIN6

FIN6 has used the Stealer One credential stealer to target e-mail and file transfer utilities including FTP.[10]

S0526 KGH_SPY

KGH_SPY can collect credentials from WINSCP.[11]

S0349 LaZagne

LaZagne can obtain credentials from databases, mail, and WiFi across multiple platforms.[12]

G0077 Leafminer

Leafminer used several tools for retrieving login and password information, including LaZagne.[13]

S0447 Lokibot

Lokibot has stolen credentials from multiple applications and data sources including Windows OS credentials, email clients, FTP, and SFTP clients.[14]

S0167 Matryoshka

Matryoshka is capable of stealing Outlook passwords.[15][16]

S0002 Mimikatz

Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI.[17][18][19][20][21]

G0069 MuddyWater

MuddyWater has performed credential dumping with LaZagne and other tools, including by dumping passwords saved in victim email.[22][23][24]

S0198 NETWIRE

NETWIRE can retrieve passwords from messaging and mail client applications.[25]

G0049 OilRig

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[26][27][28][29]

S0138 OLDBAIT

OLDBAIT collects credentials from several email clients.[30]

S0048 PinchDuke

PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as The Bat!, Yahoo!, Mail.ru, Passport.Net, Google Talk, and Microsoft Outlook.[8]

S0435 PLEAD

PLEAD has the ability to steal saved passwords from Microsoft Outlook.[31]

S0113 Prikormka

A module in Prikormka collects passwords stored in applications installed on the victim.[32]

S0192 Pupy

Pupy can use Lazagne for harvesting credentials.[33]

S0262 QuasarRAT

QuasarRAT can obtain passwords from common FTP clients.[34][35]

G0038 Stealth Falcon

Stealth Falcon malware gathers passwords from multiple sources, including Windows Credential Vault and Outlook.[36]

Mitigations

ID Mitigation Description
M1027 Password Policies

The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password.

Organizations may consider weighing the risk of storing credentials in password stores and web browsers. If system, software, or web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in improper locations.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access
DS0009 Process OS API Execution
Process Access
Process Creation

Monitor system calls, file read events, and processes for suspicious activity that could indicate searching for a password or other activity related to performing keyword searches (e.g. password, pwd, login, store, secure, credentials, etc.) in process memory for credentials. File read events should be monitored surrounding known password storage applications.

References

  1. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.
  2. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  3. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  4. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  5. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  6. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  7. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.
  8. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  9. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  10. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
  11. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  12. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
  13. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  14. Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.
  15. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  16. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  17. Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.
  18. Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved August 7, 2017.
  1. Grafnetter, M. (2015, October 26). Retrieving DPAPI Backup Keys from Active Directory. Retrieved December 19, 2017.
  2. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  3. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  4. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  5. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  6. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  7. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  8. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  9. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  10. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  11. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
  12. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  13. Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020.
  14. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  15. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  16. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  17. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  18. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.