Home > CAPEC List > CAPEC-560: Use of Known Domain Credentials (Version 3.4)  

CAPEC-560: Use of Known Domain Credentials

Attack Pattern ID: 560
Abstraction: Meta
Status: Stable
Presentation Filter:
+ Description

An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service. Attacks leveraging trusted credentials typically result in the adversary laterally moving within the local network, since users are often allowed to login to systems/applications within the network using the same password. This further allows the adversary to obtain sensitive data, download/install malware on the system, pose as a legitimate user for social engineering purposes, and more.

Attacks on known passwords generally rely on the primary fact that users often reuse the same username/password combination for a variety of systems, applications, and services, coupled with poor password policies on the target system or application. Adversaries can also utilize known passwords to target Single Sign On (SSO) or cloud-based applications and services, which often don't verify the authenticity of the user's input. Known credentials are usually obtained by an adversary via a system/application breach and/or by purchasing dumps of credentials on the dark web. These credentials may be further gleaned via exposed configuration and properties files that contain system passwords, database connection strings, and other sensitive data.

Successful spoofing and impersonation of trusted credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application.

+ Likelihood Of Attack

High

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ParentOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.555Remote Services with Stolen Credentials
ParentOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.600Credential Stuffing
ParentOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.652Use of Known Kerberos Credentials
ParentOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.653Use of Known Windows Credentials
CanFollowDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.16Dictionary-based Password Attack
CanFollowStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.49Password Brute Forcing
CanFollowStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.50Password Recovery Exploitation
CanFollowDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.55Rainbow Table Password Cracking
CanFollowDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.70Try Common or Default Usernames and Passwords
CanFollowDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.508Shoulder Surfing
CanFollowDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.565Password Spraying
CanFollowDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.568Capture Credentials via Keylogger
CanPrecedeMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.151Identity Spoofing
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
Explore
  1. Acquire known credentials: The adversary must obtain known credentials in order to access the target system, application, or service.

    Techniques
    An adversary purchases breached username/password combinations or leaked hashed passwords from the dark web.
    An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.
    An adversary conducts a sniffing attack to steal credentials as they are transmitted.
    An adversary gains access to a database and exfiltrates password hashes.
    An adversary examines outward-facing configuration and properties files to discover hardcoded credentials.
  2. Determine target's password policy: Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria.

    Techniques
    Determine minimum and maximum allowed password lengths.
    Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
    Determine account lockout policy (a strict account lockout policy will prevent brute force attacks if multiple passwords are known for a single user account).
Experiment
  1. Attempt authentication: Try each credential until the target grants access.

    Techniques
    Manually or automatically enter each credential through the target's interface.
Exploit
  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within a system or application

  2. Spoofing: Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within the system or application.

+ Prerequisites
The system/application uses one factor password based authentication, SSO, and/or cloud-based authentication.
The system/application does not have a sound password policy that is being enforced.
The system/application does not implement an effective password throttling mechanism.
The adversary possesses a list of known user accounts and corresponding passwords that may exist on the target.
+ Skills Required
[Level: Low]
Once an adversary obtains a known credential, leveraging it is trivial.
+ Resources Required
A list of known credentials. A custom script that leverages the credential list to launch an attack.
+ Indicators
Authentication attempts use credentials that have been used previously by the account in question.
Authentication attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.
Data is being transferred and/or removed from systems/applications within the network.
Suspicious or Malicious software is downloaded/installed on systems within the domain.
Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Confidentiality
Access Control
Authentication
Gain Privileges
Confidentiality
Authorization
Read Data
Integrity
Modify Data
+ Mitigations
Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.
Create a strong password policy and ensure that your system enforces this policy.
Ensure users are not reusing username/password combinations for multiple systems, applications, or services.
Do not reuse local administrator account credentials across systems.
Deny remote use of local admin credentials to log into domain systems.
Do not allow accounts to be a local administrator on more than one system.
Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.
Monitor system and domain logs for abnormal credential access.
+ Example Instances
Throughout 2015 and 2016, APT28 — also known as Pawn Storm, Sednit, Fancy Bear, Sofacy, and STRONTIUM — leveraged stolen credentials to infiltrate the Democratic National Committee (DNC), the United States Army, the World Anti-Doping Agency (WADA), the Court of Arbitration for Sport (TAS-CAS), and more. In most cases, the legitimate credentials were obtained via calculated spearphishing, tabnabbing, and DNS attacks targeted at corporate webmail systems. APT28 also executed several watering hole attacks, in addition to exploiting several zero-day vulnerabilities within Flash and Windows. The stolen credentials were then utilized to maintain authenticated access, laterally move within the local network, and exfiltrate sensitive information including DNC emails and personal medical records of numerous athletes. [REF-571]
In early 2019, FIN6 exploited stolen credentials from an organization within the engineering industry to laterally move within an environment via the Windows’ Remote Desktop Protocol (RDP). Multiple servers were subsequently infected with malware to create malware distribution servers, which were used to distribute the LockerGoga ransomware. [REF-573]
+ Taxonomy Mappings
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1078.001Valid Accounts:Default Accounts
1078.002Valid Accounts:Domain Accounts
1078.003Valid Accounts:Local Accounts
1199Trusted Relationship
+ References
[REF-570] "Attractive Accounts for Credential Theft". Microsoft Corporation. 2020-05-05. 2017-05-31. <https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/attractive-accounts-for-credential-theft?redirectedfrom=MSDN>.
[REF-571] Feike Hacquebord. "Two Years of Pawn Storm: Examining an Increasingly Relevant Threat". Trend Micro. 2020-05-05. 2017-04-25. <https://documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf>.
[REF-572] "Corporate IoT – a path to intrusion". Microsoft Security Response Center (MSRC). 2020-05-05. 2019-10-05. <https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion>.
[REF-573] Brendan McKeague, Van Ta, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson and Douglas Bienstock. "Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware". Microsoft Security Response Center (MSRC). 2020-05-05. 2019-04-05. <https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html>.
+ Content History
Submissions
Submission DateSubmitterOrganization
2015-11-09CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-12-07CAPEC Content TeamThe MITRE Corporation
Updated References
2018-07-31CAPEC Content TeamThe MITRE Corporation
Updated References
2019-04-04CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses, Taxonomy_Mappings
2020-07-30CAPEC Content TeamThe MITRE Corporation
Updated @Abstraction, @Status, Consequences, Description, Example_Instances, Execution_Flow, Indicators, Likelihood_Of_Attack, Mitigations, Prerequisites, References, Related_Attack_Patterns, Related_Weaknesses, Resources_Required, Skills_Required, Taxonomy_Mappings, Typical_Severity
More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 17, 2020