An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.
Description
Attack Execution Flow
5
1
Step 1
Explore[Acquire known operating system credentials] The adversary must obtain known operating system credentials in order to access the target system, application, or service within the domain.
An adversary purchases breached operating system username/password combinations or leaked hashed passwords from the dark web.
An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.
An adversary conducts a sniffing attack to steal operating system credentials as they are transmitted.
An adversary gains access to a system/files and exfiltrates password hashes.
An adversary examines outward-facing configuration and properties files to discover hardcoded credentials.
AI Translation
[Acquisizione di credenziali di sistema operativo note] L’avversario deve ottenere credenziali di sistema operativo note per accedere al sistema, applicazione o servizio di destinazione all’interno del dominio.
Un avversario acquista combinazioni di nome utente/password di sistema operativo compromesse o hash di password trapelati dal dark web.
Un avversario sfrutta un keylogger o un attacco di phishing per rubare le credenziali utente mentre vengono fornite.
Un avversario conduce un attacco di sniffing per rubare le credenziali di sistema operativo durante la trasmissione.
Un avversario ottiene l’accesso a un sistema/file e esfiltra hash di password.
Un avversario esamina i file di configurazione e di proprietà esposti pubblicamente per scoprire credenziali hardcoded.
Attack Techniques
-
An adversary conducts a sniffing attack to steal operating system credentials as they are transmitted.
-
An adversary examines outward-facing configuration and properties files to discover hardcoded credentials.IT: Un adversary effettua un attacco di sniffing per rubare le credenziali del sistema operativo mentre vengono trasmesse.
-
An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.IT: Un adversary effettua un attacco di sniffing per rubare le credenziali del sistema operativo mentre vengono trasmesse.
-
An adversary gains access to a system/files and exfiltrates password hashes.IT: Un adversary effettua un attacco di sniffing per rubare le credenziali del sistema operativo mentre vengono trasmesse.
-
An adversary purchases breached operating system username/password combinations or leaked hashed passwords from the dark web.IT: Un adversary effettua un attacco di sniffing per rubare le credenziali del sistema operativo mentre vengono trasmesse.
2
Step 2
Experiment[Attempt authentication] Try each operating system credential against various systems, applications, and services within the domain until the target grants access.
Manually or automatically enter each credential through the target's interface.
AI Translation
[Tentativo di autenticazione] Prova ogni credenziale del sistema operativo contro vari sistemi, applicazioni e servizi all'interno del dominio fino a ottenere l'accesso al target.
Inserisci manualmente o automaticamente ogni credenziale tramite l'interfaccia del target.
Attack Techniques
-
Manually or automatically enter each credential through the target's interface.
3
Step 3
Exploit[Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the network
AI Translation
[Impersonate] Un avversario può utilizzare esperimenti o autenticazioni riuscite per impersonare un utente o sistema autorizzato, o per spostarsi lateralmente all’interno della rete
4
Step 4
Exploit[Spoofing] Malicious data can be injected into the target system or into other systems on the network. The adversary can also pose as a legitimate user to perform social engineering attacks.
AI Translation
[Spoofing] Dati dannosi possono essere iniettati nel sistema target o in altri sistemi sulla rete. L'attore malevolo può anche fingersi un utente legittimo per eseguire attacchi di social engineering.
5
Step 5
Exploit[Data Exfiltration] The adversary can obtain sensitive data contained within system files or application configuration.
AI Translation
[Data Exfiltration] L'avversario può ottenere dati sensibili contenuti all'interno di file di sistema o configurazioni delle applicazioni.
Mitigations
8
Create A Strong Password Policy And Ensure That Your System Enforces This Policy.
Deny Remote Use Of Local Admin Credentials To Log Into Domain Systems.
Do Not Allow Accounts To Be A Local Administrator On More Than One System.
Do Not Reuse Local Administrator Account Credentials Across Systems.
Ensure Users Are Not Reusing Username/Password Combinations For Multiple Systems, Applications, Or Services.
Implement An Intelligent Password Throttling Mechanism. Care Must Be Taken To Assure That These Mechanisms Do Not Excessively Enable Account Lockout Attacks Such As Capec-2.
Leverage Multi-Factor Authentication For All Authentication Services And Prior To Granting An Entity Access To The Network.
Monitor System And Domain Logs For Abnormal Credential Access.
Consequences
Security Scopes Affected
Access Control
Authentication
Authorization
Confidentiality
Integrity
Potential Impacts
Gain Privileges
Modify Data
Read Data
Indicators
5
Authentication attempts are originating from IP addresses or locations that are inconsistent with a user's normal IP addresses or locations.
Authentication attempts use credentials that have been used previously by the account in question.
Data is being transferred and/or removed from systems/applications within the network.
Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.
Suspicious or Malicious software is downloaded/installed on systems within the domain.
Relationships
Parent CAPECs
Resources Required
2
A custom script that leverages a credential list to launch an attack.
A list of known credentials for the targeted domain.