Credentials (T1589.001)
Credentials [T1589.001]
Last updated
Credentials [T1589.001]
Last updated
Name: Credentials
ID: T1589.001
Tactics:
Technique:
Credentials (T1589.001) is a sub-technique within the MITRE ATT&CK framework under the broader category of Gather Victim Identity Information (T1589). This sub-technique specifically involves adversaries collecting credential information such as usernames, passwords, tokens, or authentication certificates. Attackers gather these credentials to facilitate further access, escalate privileges, maintain persistence, or execute lateral movement within victim environments. Credential harvesting is a critical step in many cyberattacks, enabling attackers to gain unauthorized access to sensitive systems, applications, and data.
Credential gathering encompasses various methods and mechanisms attackers employ to obtain sensitive authentication information. Attackers typically leverage multiple techniques, including but not limited to:
Phishing Attacks:
Spear phishing emails designed to trick users into providing credentials.
Fake login pages mimicking legitimate websites to capture user credentials.
Credential Dumping:
Extracting credentials stored in memory or disk through tools such as Mimikatz or LaZagne.
Leveraging vulnerabilities in operating systems or applications to retrieve stored credentials.
Network Sniffing:
Capturing cleartext or weakly encrypted credentials transmitted over insecure protocols like HTTP, FTP, or Telnet.
Using network monitoring tools such as Wireshark, Ettercap, or tcpdump.
Password Spraying and Brute Force Attacks:
Automated attempts to guess valid credentials using commonly known passwords or credential lists.
Tools commonly used include Hydra, CrackMapExec, and Burp Suite.
Social Engineering:
Manipulating users into revealing credentials through impersonation, pretexting, or other psychological tactics.
Malware and Keyloggers:
Deploying malicious software to capture keystrokes, screenshots, or clipboard data containing credentials.
Tools such as commercial keyloggers, remote access trojans (RATs), or custom malware scripts.
Attackers may also leverage credential reuse, credential stuffing attacks, or public credential leaks from breaches to identify valid credentials for targeted organizations.
Credential harvesting is commonly employed across various stages of cyberattacks and appears in multiple attack scenarios:
Initial Access Stage:
Attackers frequently use phishing emails or malicious websites to collect initial credentials from unsuspecting users.
Privilege Escalation and Persistence:
Harvested credentials allow attackers to escalate privileges and maintain persistent access to victim networks.
Lateral Movement:
Attackers use compromised credentials to move laterally within a network, accessing additional systems and resources.
Data Exfiltration and Impact:
Credentials enable attackers to access sensitive data, intellectual property, or financial information for exfiltration and further exploitation.
Espionage and Advanced Persistent Threats (APTs):
Nation-state actors frequently use credential harvesting to conduct long-term espionage campaigns, maintaining stealthy access to critical systems.
Credential harvesting is a versatile technique, appearing in nearly all types of cyberattacks, from opportunistic cybercriminal campaigns to sophisticated targeted intrusions.
Organizations can detect credential harvesting through multiple methods, tools, and indicators of compromise (IoCs):
Monitoring and Alerting on Suspicious Authentication Activity:
Unusual login times, geographic locations, IP addresses, or failed login attempts.
Tools: SIEM solutions (Splunk, ELK Stack), UEBA (User and Entity Behavior Analytics) platforms.
Endpoint Detection and Response (EDR):
Detecting use of credential dumping tools like Mimikatz or LaZagne.
Identifying suspicious processes, memory injections, or unusual command-line activities.
Network Monitoring and Intrusion Detection Systems (IDS):
Detecting cleartext credential transmission or abnormal protocol usage.
Tools: Snort, Suricata, Zeek (Bro), network traffic analyzers.
Email and Web Filtering:
Detecting phishing attempts, malicious URLs, or fraudulent websites designed to harvest credentials.
Tools: Proofpoint, Mimecast, Cisco Umbrella.
Honeypots and Deception Technologies:
Deploying fake credentials or decoy systems to detect unauthorized credential usage attempts.
IoCs Indicative of Credential Harvesting:
Presence of credential dumping tools or scripts on endpoints.
Logs showing repeated failed authentication attempts or brute-force attacks.
Known phishing domains/IP addresses identified in threat intelligence feeds.
Unusual outbound network traffic indicative of credential exfiltration.
Early detection of credential harvesting is crucial due to its significant impacts and potential consequences:
Unauthorized Access and Privilege Escalation:
Attackers leverage harvested credentials to gain unauthorized access to sensitive systems, applications, and data repositories.
Compromised privileged accounts can lead to full administrative control over networks and systems.
Data Breaches and Sensitive Information Exposure:
Credential harvesting often leads to data exfiltration, resulting in the loss of intellectual property, confidential business information, or personally identifiable information (PII).
Data breaches can lead to significant financial, regulatory, and reputational damage.
Operational Disruption and Downtime:
Attackers may use compromised credentials to disrupt operations, deploy ransomware, or sabotage critical systems.
Disruptions can severely impact business continuity and operational efficiency.
Persistence and Long-Term Compromise:
Harvested credentials allow attackers to maintain persistent, stealthy access to networks, making detection and remediation significantly more difficult.
Compliance and Regulatory Risks:
Credential harvesting incidents can lead to compliance violations (e.g., GDPR, HIPAA, PCI DSS), resulting in legal penalties, fines, and litigation.
Early detection and immediate response to credential harvesting attempts significantly reduce the likelihood of successful exploitation, minimize damage, and limit attacker dwell time within victim environments.
Real-world examples demonstrating credential harvesting attacks include:
Operation Aurora (Google, 2009-2010):
Attackers used spear-phishing emails to harvest credentials from Google employees, enabling unauthorized access to intellectual property and sensitive user data.
Tools: Custom malware, spear-phishing emails.
Impact: Intellectual property theft, reputational damage, increased cybersecurity measures.
LinkedIn Credential Leak (2012):
Attackers harvested approximately 167 million LinkedIn user credentials through compromised web applications, later sold on underground forums.
Tools: SQL injection vulnerabilities, password cracking tools.
Impact: Massive credential reuse attacks, increased credential stuffing attacks across multiple platforms.
APT28 (Fancy Bear) Credential Harvesting Campaigns:
Russian-linked threat actors conducted phishing campaigns targeting government officials, military personnel, and journalists to harvest credentials.
Tools: Spear-phishing emails, fake login portals, credential dumping tools.
Impact: Espionage, unauthorized access to sensitive government and military information, political interference.
Colonial Pipeline Attack (2021):
Attackers leveraged compromised VPN credentials obtained from a leaked password to gain initial access to the Colonial Pipeline network.
Tools: Credential reuse from leaked passwords, DarkSide ransomware.
Impact: Significant operational disruption, fuel shortages across Eastern U.S., financial and reputational damage.
These examples highlight the diverse methods, tools, and consequences associated with credential harvesting attacks, underscoring the critical need for robust detection and response strategies.