# T1552 Unsecured Credentials

-----------------------------------------------------------------------

## Technique Description

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).

## Technique Detection

While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information.

Monitor for suspicious file access activity, specifically indications that a process is reading multiple files in a short amount of time and/or using command-line arguments  indicative of searching for credential material (ex: regex patterns). These may be indicators of automated/scripted credential access behavior.

Monitoring when the user's <code>.bash_history</code> is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like <code>cat ~/.bash_history</code>.

Additionally, monitor processes for applications that can be used to query the Registry, such as [Reg](https://attack.mitre.org/software/S0075), and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.

-----------------------------------------------------------------------

### Tactics:

  *   Credential-Access

### Platforms:

  * Windows

  * Azure AD

  * Office 365

  * SaaS

  * IaaS

  * Linux

  * macOS

  * Google Workspace

  * Containers

### Adversary Required Permissions:

  * User

  * Administrator

  * SYSTEM

### Data Sources:

  * **Windows Registry:** Windows Registry Key Access

  * **User Account:** User Account Authentication

  * **Process:** Process Creation

  * **Command:** Command Execution

  * **File:** File Access

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1552)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will search compromised systems to find and obtain insecurely stored credentials.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- Information here.

## Analytical References

  * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
* https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md
* https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md
* https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md
* https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md
* https://github.com/EmpireProject/Empire
* https://adsecurity.org/?page_id=1821
* https://pentestlab.blog/2017/04/19/stored-credentials/

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained.
- Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts (T1078) for more information.
- Monitor for suspicious file access activity, specifically indications that a process is reading multiple files in a short amount of time and/or using command-line arguments indicative of searching for credential material (ex: regex patterns). These may be indicators of automated/scripted credential access behavior.
- Monitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like cat ~/.bash_history.
- Additionally, monitor processes for applications that can be used to query the Registry, such as Reg, and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.

#### Analytic 1

  * **Information:** 'cmdkey'

  * **Source:** 'Windows Audits, Sysmon'

  * **Tool:** 'Kibana'

  * **Notes:** 'cmdkey : Can display (/list), create (/add), or delete (/delete) login information.'

  * **Query:** ```process.name : cmdkey```
  
#### Analytic 2

  * **Information:** 'searching for a password'

  * **Source:** 'Windows Audits, Sysmon'

  * **Tool:** 'Kibana'

  * **Notes:** 'Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password.'

  * **Query:** ```process.command_line : *password* or *pwd* or *login* or *secure* or *credentials*```

#### Analytic 3

  * **Information:** 'searching for a password reg query'

  * **Source:** 'Windows Audits, Sysmon'

  * **Tool:** 'Kibana'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```process.name : reg.exe AND process.command_line : *```
  
#### Analytic 4

  * **Information:** 'Find private keys on the Windows file system.'

  * **Source:** 'Windows Audits, Sysmon'

  * **Tool:** 'Kibana'

  * **Notes:** 'Find private keys on the Windows file system'

  * **Query:** ```process.command_line : *.key or *.pgp or *.gpg or *.ppk or *.p12 or *.pem or *.pfx or *.cer or *.p7b or *.asc```

-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

