Credentials in Files
Credentials in Files [T1552.001]
Last updated
Credentials in Files [T1552.001]
Last updated
Name: Credentials In Files
ID: T1552.001
Tactics:
Technique:
Credentials in Files (T1552.001) is a sub-technique within the MITRE ATT&CK framework under the parent technique "Unsecured Credentials" (T1552). This sub-technique refers specifically to adversaries discovering and leveraging credentials stored insecurely in files. Attackers typically search for plaintext passwords, access tokens, SSH keys, API keys, or other sensitive credential information that may be stored in configuration files, scripts, source code repositories, or logs. These credentials can provide adversaries with initial access, lateral movement capabilities, and privilege escalation opportunities within compromised environments.
Attackers commonly exploit credentials stored insecurely in various file types and locations, including:
Configuration Files:
Files such as .env, .ini, .cfg, .xml, .yaml, or .json often contain plaintext credentials or API keys.
Attackers scan directories and repositories for these configuration files to find sensitive information.
Source Code and Repositories:
Developers may inadvertently commit sensitive credentials into source code repositories (e.g., GitHub, GitLab, Bitbucket).
Attackers use automated tools or manual searches to identify leaked credentials in public or private repositories.
Scripts and Automation Tools:
Scripts used for automation or scheduled tasks (cron jobs, batch files, PowerShell scripts) frequently include plaintext credentials.
Attackers inspect scripts stored on compromised hosts to locate embedded passwords or tokens.
Log Files and Application Dumps:
Applications may inadvertently log credentials during debugging or verbose logging.
Attackers review log files or memory dumps to extract sensitive credential information.
System and Application Backups:
Backup files (e.g., database dumps, VM snapshots, archives) may contain credentials stored in plaintext or encoded formats.
Attackers target backup files to retrieve credentials for further exploitation.
Attackers frequently leverage automated tools and scripts to scan large file systems or code repositories quickly. Common tools and methods include:
Regular expressions and pattern matching to locate potential credential strings.
Automated scanning tools such as Gitrob, TruffleHog, Git-secrets, or custom scripts.
Manual inspection of files for sensitive information during targeted attacks.
Attackers utilize the Credentials in Files technique across multiple stages of the cyber kill chain, including:
Initial Access:
Attackers scan public repositories or leaked databases to find credentials that grant initial entry points into targeted systems or cloud services.
Execution and Persistence:
After gaining initial footholds, attackers search compromised hosts for embedded credentials to maintain persistent access or expand their reach.
Privilege Escalation:
Attackers may exploit credentials found in scripts, configuration files, or backups to escalate privileges within the compromised environment.
Lateral Movement:
Credentials discovered on one compromised machine or repository can facilitate lateral movement across networks or cloud environments.
Data Exfiltration and Impact:
Attackers leverage discovered credentials to access sensitive data stores, enabling data theft or destructive operations.
Detection of Credentials in Files involves proactive monitoring and reactive analysis of file systems, repositories, and logs. Common detection methods include:
File Monitoring and Auditing:
Implementing file integrity monitoring (FIM) solutions to detect unauthorized access or modifications to sensitive files.
Auditing file access logs for unusual patterns, such as extensive searching or accessing of configuration files and scripts.
Automated Credential Scanning Tools:
Regularly scanning repositories and file systems using tools such as TruffleHog, Git-secrets, Gitrob, or similar credential detection tools.
Identifying sensitive strings (API keys, passwords, tokens) through pattern matching and regular expressions.
Log Analysis and Security Monitoring:
Correlating logs from file system access, version control systems, and security event management systems (SIEMs) to detect suspicious activity.
Monitoring for unusual access patterns or spikes in file access events indicative of credential harvesting.
Threat Hunting:
Proactively searching file systems, repositories, and backups for plaintext or encoded credentials.
Investigating unusual processes or scripts performing extensive file searches.
Indicators of Compromise (IoCs):
Unusual or unexpected access to sensitive files (e.g., .env, .config, .ini, .json, .xml).
Presence of unauthorized scanning or enumeration scripts/tools on compromised hosts.
Unexpected usage of credentials from unusual locations or IP addresses.
Detection of credential strings in publicly accessible repositories or backups.
Early detection of Credentials in Files is critical due to the severe impacts that unauthorized credential access can have on an organization. Key reasons include:
Preventing Unauthorized Access:
Credentials found in files can grant attackers immediate access to critical systems, applications, databases, and cloud environments.
Reducing Lateral Movement:
Early detection prevents attackers from leveraging credentials to move laterally across internal networks, reducing the scope and scale of breaches.
Minimizing Privilege Escalation:
Identifying and securing credentials early prevents attackers from escalating privileges and gaining administrative control over sensitive systems.
Protecting Sensitive Data:
Early detection helps prevent attackers from accessing sensitive data, reducing risks of data breaches, data theft, and regulatory penalties.
Reducing Operational and Financial Impact:
Early identification and remediation of credential leaks minimize the financial, operational, and reputational damage associated with successful attacks.
Compliance and Regulatory Requirements:
Organizations are often required to protect sensitive credentials under regulatory frameworks (e.g., GDPR, HIPAA, PCI DSS). Detecting and addressing credential leaks ensures compliance and avoids potential fines.
Real-world examples demonstrating the Credentials in Files technique include:
Uber Data Breach (2016):
Attackers discovered AWS credentials stored in plaintext within a private GitHub repository.
These credentials allowed attackers to access sensitive user data stored in AWS S3 buckets, compromising millions of user records.
Capital One Breach (2019):
The attacker exploited misconfigured AWS services, discovering credentials and tokens stored within EC2 instance metadata and configuration files.
This led to the compromise of over 100 million customer records, resulting in significant reputational and financial impacts.
SolarWinds Attack (2020):
Attackers leveraged credentials stored in configuration files and scripts during their sophisticated supply-chain compromise.
These credentials enabled lateral movement within victim networks, resulting in widespread compromise of sensitive networks and government agencies.
Codecov Supply Chain Attack (2021):
Attackers compromised a Docker image used by Codecov, injecting malicious code that harvested credentials stored in environment variables and configuration files.
Stolen credentials allowed attackers to access numerous customer repositories and sensitive information.
Common tools attackers have used to automate credential discovery include:
TruffleHog:
Automated tool used to scan Git repositories for sensitive credentials and API keys.
Gitrob:
Open-source tool designed to discover sensitive information and credentials within GitHub repositories.
Git-secrets:
Tool for preventing the committing of sensitive credentials into Git repositories, but attackers may use similar logic to detect leaked credentials.
These examples highlight the significant risks associated with storing credentials insecurely in files and underline the importance of proactive detection and remediation.