1. Home
  2. Techniques
  3. Enterprise
  4. 从密码存储中获取凭证

从密码存储中获取凭证

ID Name
T1555.001 内存隐蔽提取
T1555.002 合法API劫持
T1555.003 加密存储密钥破解
T1555.004 云凭证代理同步

从密码存储中获取凭证是指攻击者通过访问系统或应用程序的密码存储机制,窃取用户认证信息的攻击技术。常见目标包括操作系统凭据保险库、浏览器保存的密码、云服务密钥管理器等。防御方通常通过监控敏感文件访问、检测异常进程内存操作以及分析加密存储访问模式等手段进行防护,例如使用文件完整性监控工具或限制高权限进程的创建。

为规避传统检测机制,攻击者发展出多种隐蔽式凭证窃取技术,通过内存操作精准化、API调用合规化、加密破解离线化等手段,将凭证提取过程深度融入系统正常业务流程,显著降低攻击行为的可观测性。

当前隐蔽式凭证窃取技术的共性在于对系统信任机制的逆向工程与时空维度攻击链重构。攻击者通过分层隐匿策略实现多级防护突破:内存隐蔽提取技术利用进程注入与瞬时内存解析,将攻击窗口压缩至密码解密瞬间;合法API劫持通过参数伪装与调用链合规化,使恶意操作获得系统合法性背书;加密存储密钥破解采用离线分布式计算,规避在线检测的同时提升破解效率;云凭证代理同步则借助云服务信任链,将数据外泄伪装成正常同步行为。这些技术的核心突破点在于将传统显性攻击动作解构为多个符合系统预期的微操作,并通过加密混淆、协议合规、环境融合等手法重构攻击路径。

匿迹技术的演进导致传统基于文件监控或进程行为的检测方法逐渐失效,防御方需构建内存完整性验证、API调用上下文分析、加密存储访问模式学习等新型检测能力,并实施硬件级安全防护以阻断侧信道攻击,形成覆盖凭证全生命周期的防护体系。

ID: T1555
Sub-techniques:  T1555.001, T1555.002, T1555.003, T1555.004
Tactic: 凭据获取
Platforms: IaaS, Linux, Windows, macOS
Version: 1.2
Created: 11 February 2020
Last Modified: 15 October 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过模拟合法API调用流程与云同步协议,使凭证窃取行为在日志记录中呈现为正常业务操作。例如劫持浏览器密码管理接口时严格遵循标准调用规范,在参数结构与加密方式上与合法组件保持完全一致,规避基于API调用特征的检测规则。

行为透明

利用零日漏洞突破加密存储防护机制,例如通过未公开的侧信道攻击提取硬件安全模块中的临时密钥。此类技术使得传统基于已知漏洞特征的检测手段无法识别攻击行为,实现"无特征"攻击。

数据遮蔽

在数据传输阶段采用多层加密与分片混淆技术,例如将窃取的凭证数据封装在标准TLS流量中,或使用云存储服务的客户端加密功能进行二次加密,使网络层监控无法直接解析攻击载荷。

时空释痕

通过分布式破解架构与离线攻击链设计,将高强度密码破解任务分散到多个计算节点长期执行。同时利用云同步机制的周期性特征,将数据外泄行为拆解为低频次合法操作,使攻击特征稀释在正常业务流量中。

Procedure Examples

ID Name Description
S0331 Agent Tesla

Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles.[1]
G0064 APT33

APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[2][3]
G0087 APT39

APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords.[4]
G0096 APT41

APT41 has obtained information about accounts, lists of employees, and plaintext and hashed passwords from databases.[5]
S0373 Astaroth

Astaroth uses an external software known as NetPass to recover passwords. [6]
S0484 Carberp

Carberp's passw.plug plugin can gather account information from multiple instant messaging, email, and social media services, as well as FTP, VNC, and VPN clients.[7]
S0050 CosmicDuke

CosmicDuke collects user credentials, including passwords, for various programs including popular instant messaging applications and email clients as well as WLAN keys.[8]
S1111 DarkGate

DarkGate use Nirsoft Network Password Recovery or NetPass tools to steal stored RDP credentials in some malware versions.[9]
G0120 Evilnum

Evilnum can collect email credentials from victims.[10]
G0037 FIN6

FIN6 has used the Stealer One credential stealer to target e-mail and file transfer utilities including FTP.[11]
G1001 HEXANE

HEXANE has run cmdkey on victim machines to identify stored credentials.[12]
S0526 KGH_SPY

KGH_SPY can collect credentials from WINSCP.[13]
S0349 LaZagne

LaZagne can obtain credentials from databases, mail, and WiFi across multiple platforms.[14]
G0077 Leafminer

Leafminer used several tools for retrieving login and password information, including LaZagne.[15]
S0447 Lokibot

Lokibot has stolen credentials from multiple applications and data sources including Windows OS credentials, email clients, FTP, and SFTP clients.[16]
G1026 Malteiro

Malteiro has obtained credentials from mail clients via NirSoft MailPassView.[17]
S1156 Manjusaka

Manjusaka extracts credentials from the Windows Registry associated with Premiumsoft Navicat, a utility used to facilitate access to various database types.[18]
S0167 Matryoshka

Matryoshka is capable of stealing Outlook passwords.[19][20]
S1146 MgBot

MgBot includes modules for stealing stored credentials from Outlook and Foxmail email client software.[21][22]
S0002 Mimikatz

Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI.[23][24][25][26][27]

S1122 Mispadu

Mispadu has obtained credentials from mail clients via NirSoft MailPassView.[17][28][29]
G0069 MuddyWater

MuddyWater has performed credential dumping with LaZagne and other tools, including by dumping passwords saved in victim email.[30][31][32]
S0198 NETWIRE

NETWIRE can retrieve passwords from messaging and mail client applications.[33]
G0049 OilRig

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[34][35][36][37]
S0138 OLDBAIT

OLDBAIT collects credentials from several email clients.[38]
S0048 PinchDuke

PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as The Bat!, Yahoo!, Mail.ru, Passport.Net, Google Talk, and Microsoft Outlook.[8]
S0435 PLEAD

PLEAD has the ability to steal saved passwords from Microsoft Outlook.[39]
S0378 PoshC2

PoshC2 can decrypt passwords stored in the RDCMan configuration file.[40]
S0113 Prikormka

A module in Prikormka collects passwords stored in applications installed on the victim.[41]
S0192 Pupy

Pupy can use Lazagne for harvesting credentials.[42]
S0262 QuasarRAT

QuasarRAT can obtain passwords from common FTP clients.[43][44]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 used account credentials they obtained to attempt access to Group Managed Service Account (gMSA) passwords.[45]

G0038 Stealth Falcon

Stealth Falcon malware gathers passwords from multiple sources, including Windows Credential Vault and Outlook.[46]
G1017 Volt Typhoon

Volt Typhoon has attempted to obtain credentials from OpenSSH, realvnc, and PuTTY.[47]

Mitigations

ID Mitigation Description
M1027 Password Policies

The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password.

Organizations may consider weighing the risk of storing credentials in password stores and web browsers. If system, software, or web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in improper locations.
M1026 Privileged Account Management

Limit the number of accounts and services with permission to query information from password stores to only those required. Ensure that accounts and services with permissions to query password stores only have access to the secrets they require.
M1051 Update Software

Perform regular software updates to mitigate exploitation risk.

Detection

ID Data Source Data Component Detects
DS0025 Cloud Service Cloud Service Enumeration

Monitor for API calls and CLI commands that attempt to enumerate and fetch credential material from cloud secrets managers, such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure. Alert on any suspicious usages of these commands, such as an account or service generating an unusually high number of secret requests.

Analytic 1 - High volume of secret requests from unusual accounts or services.

index=security sourcetype IN ("aws:cloudtrail", "azure:activity", "gcp:activity")(eventName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys") ORoperationName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys") ORprotoPayload.methodName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys"))
DS0017 Command Command Execution

Monitor executed commands and arguments that may search for common password storage locations to obtain user credentials.

Analytic 1 - Commands indicating credential searches.

(index=os sourcetype IN ("Powershell", "linux_secure", "macos_secure") CommandLine IN ("findstr /si password", "findstr /si pass", "grep -r password", "grep -r pass", "grep -r secret", "security find-generic-password", "security find-internet-password", "security dump-keychain", "gsettings get org.gnome.crypto.cache", "cat /etc/shadow", "strings /etc/shadow", "ls -al ~/.ssh/known_hosts", "ssh-add -L"))
DS0022 File File Access

Monitor for files being accessed that may search for common password storage locations to obtain user credentials.

Analytic 1 - Unauthorized access to files containing credentials.

index=security sourcetype IN ("WinEventLog:Security", "WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")((sourcetype="WinEventLog:Security" EventCode=4663 ObjectName IN ("passwords", "creds", "credentials", "secrets")) OR (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetObject IN ("passwords", "creds", "credentials", "secrets")) OR (sourcetype="linux_secure" action="open" filepath IN ("/etc/shadow", "/etc/passwd", "/.aws/credentials", "/.ssh/id_rsa")) OR (sourcetype="macos_secure" event_type="open" file_path IN ("/Library/Keychains/", "/Users//Library/Keychains/", "/Users//.ssh/id_rsa")))

DS0009 Process OS API Execution

Monitor for API calls that may search for common password storage locations to obtain user credentials.
Process Access

Monitor for processes being accessed that may search for common password storage locations to obtain user credentials.

Analytic 1 - Unauthorized process access indicating credential searches.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")(EventCode=10 TargetImage IN ("lsass.exe", "securityd", "ssh-agent", "gpg-agent") OR EventCode=11 TargetObject IN ("password", "creds", "credentials", "secrets", "keychain", ".kdbx", ".pfx", ".pem", ".p12", ".key") OR EventCode=1 CommandLine IN ("mimikatz", "procdump", "gcore", "dbxutil", "security find-generic-password", "security find-internet-password", "security dump-keychain", "gsettings get org.gnome.crypto.cache"))
Process Creation

Monitor newly executed processes that may search for common password storage locations to obtain user credentials.

Analytic 1 - New processes with parameters indicating credential searches.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")(EventCode=1 CommandLine IN ("mimikatz", "procdump", "gcore", "dbxutil", "security find-generic-password", "security find-internet-password", "security dump-keychain", "gsettings get org.gnome.crypto.cache", "cat /etc/shadow", "strings /etc/shadow", "ls -al ~/.ssh/known_hosts", "ssh-add -L"))

References

  1. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.
  2. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  3. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  4. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  5. Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024.
  6. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  7. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024.
  8. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  9. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
  10. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  11. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
  12. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  13. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  14. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
  15. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  16. Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.
  17. SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
  18. Asheer Malhotra & Vitor Ventura. (2022, August 2). Manjusaka: A Chinese sibling of Sliver and Cobalt Strike. Retrieved September 4, 2024.
  19. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  20. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  21. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
  22. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
  23. Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.
  24. Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved August 7, 2017.
  1. Grafnetter, M. (2015, October 26). Retrieving DPAPI Backup Keys from Active Directory. Retrieved December 19, 2017.
  2. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  3. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  4. Pedro Tavares (Segurança Informática). (2020, September 15). Threat analysis: The emergent URSA trojan impacts many countries using a sophisticated loader. Retrieved March 13, 2024.
  5. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
  6. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  7. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  8. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  9. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  10. Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.
  11. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  12. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  13. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
  14. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  15. Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020.
  16. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
  17. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  18. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  19. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  20. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  21. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  22. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  23. NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.