ATT&CK for Enterprise – TA0006 Credential Access
Credential Access, Tactic TA0006 – Enterprise | MITRE ATT&CK®
“Credential Access” in cybersecurity refers to the methods and techniques used by attackers to obtain user credentials, like usernames and passwords, from a system or network. This can include stealing, guessing, or forging credentials to gain unauthorized access to systems and data. Techniques like keylogging, phishing, credential dumping, and exploiting system vulnerabilities are commonly used. The aim is to gain access to restricted areas, escalate privileges, or move laterally within a network. This blog will explore and categorize specific alerts from Credential access alerts documentation.
T1110 Brute Force
| External ID | Name | Sev. | Description |
| 2004 | Suspected Brute Force attack (LDAP) | Medium | Brute Force Nature: The attacker tries numerous passwords across various accounts to find a correct one. This is a trial-and-error method aimed at gaining unauthorized access. LDAP Simple Bind ①: The attack involves the LDAP simple bind process, a basic method for authenticating LDAP clients to servers. Attack Patterns: Either Horizontal Attack ② or Vertical Attack ③, it also can be the combination of both. Detection Mechanism: This type of attack is detected by “Defender for Identity” when there is an unusually high number of simple bind authentication attempts. Detection is based on authentication events recorded by sensors on domain controllers and AD FS servers ④. Impact: If successful, the attacker gains access to at least one account, potentially compromising system security and allowing for unauthorized activities. |
| 2023 | Suspected Brute Force attack (Kerberos, NTLM) | Medium | Attack Method: The attacker tries multiple passwords on different accounts to find a correct one, or employs a password spray, using one password against many accounts. Attack Patterns: Either Horizontal Attack or Vertical Attack, it also can be the combination of both. Attack Strategy: Attackers often wait for a period (e.g., 30 minutes) between password spray ⑤ attempts to avoid triggering account lockout mechanisms. Purpose and Efficacy: These attacks are effective for gaining initial access to an organization and facilitating lateral movements or privilege escalation. Detection: An alert is triggered after observing many authentication failures or detecting a password spray. The minimum period for triggering an alert is one week ⑥ |
① LDAP Simple Bind: This method involves sending the user’s Distinguished Name (DN) and password in plain text to the LDAP server. The server then verifies these credentials against its directory to authenticate the user.
LDAP simple bind is necessary because it provides a straightforward and widely-supported mechanism for user authentication. It allows for easy integration of various applications and services with directory services for user verification.
② Horizontal Brute-Force: This involves using a small set of passwords and trying them on many different user accounts. The attacker is not targeting a specific user but rather attempting to find any weak account.
③ Vertical Brute-Force: This method uses a large set of different passwords but targets just a few users. The aim here is to crack the password of a specific account or a small number of accounts, possibly with higher privileges.
④ User Authentication: ADFS can use LDAP simple bind to authenticate users against an AD domain. This is particularly common in environments where ADFS is configured to use AD as its identity store.
Integration with AD: LDAP is a native protocol for interacting with AD. Using LDAP simple bind, ADFS can efficiently query AD for user credentials and other directory information necessary for authentication and authorization processes.
⑤ T1110.003 Password Spraying A Password Spray Attack is a type of cyber attack where an attacker uses a common, weak password to attempt to log into a large number of different accounts. This approach differs from traditional brute force attacks by targeting many accounts with a few passwords, rather than many passwords on a single account. Key aspects: Single password, mutiple accounts; evading lockout policies; periodic attempts
⑥ The differing detection times for NTLM/Kerberos and LDAP brute force attacks are due to their distinct attack patterns and protocol characteristics. NTLM/Kerberos attacks are typically more complex and stealthier, involving slow, low-volume attempts that blend in with normal traffic, necessitating a longer period (about a week) for systems to learn and establish a baseline of normal behavior to identify anomalies. In contrast, LDAP brute force attacks are generally more straightforward and less sophisticated, with attackers quickly trying multiple passwords, resulting in a clear attack signature that is easier to detect in a shorter timeframe.
T1555 Credentials from Password Stores
| External ID | Name | Sev. | Description |
| 2020 | Malicious request of Data Protection API master key | High | Target on DPAPI: DPAPI is integral to Windows security, protecting password or sensitive data ① saved by browsers and other sensitive files. Master Key Vulnerability: In this attack, the focus is on the master key ② backup held by domain controllers. This key is capable of decrypting all data protected by DPAPI on machines within a domain. Attack Mechanism: Attackers aim to acquire this master key, which would allow them to decrypt any DPAPI-protected secrets across all domain-joined Windows machines. Detection and Alerting: An alert is triggered in Microsoft’s Defender for Identity system when there’s an attempt to retrieve this backup master key, signaling a potential malicious activity. |
① Passwords and Secrets: DPAPI is commonly used to encrypt and protect passwords and other secrets stored on a Windows system.
Generic Data Encryption: Beyond just passwords, DPAPI can also be used to encrypt any kind of sensitive data. This includes cryptographic keys, connection strings, or any data that an application deems confidential.
② Storage Path: The DPAPI master key is typically stored in the user’s profile configuration files, specifically within the user’s profile directory. For machines joined to a domain, the path is typically as follows: C:\Users[Username]\AppData\Roaming\Microsoft\Protect\
In this directory, there will be one or more folders named with GUIDs, and each folder represents a specific User Security ID (SID). These folders store the encrypted master key.
User Credential Encryption: The DPAPI master key is encrypted using the user’s login credentials. For users in a domain environment, this typically involves the user’s NTLM hash or Kerberos ticket.
T1558 Steal or Forge Kerberos Tickets
| External ID | Name | Sev. | Description |
| 2013 | Suspected Golden Ticket usage (forged authorization data) | High | Exploiting Vulnerabilities: It targets known weaknesses in older Windows Server systems. Manipulation of PAC: Attackers manipulate the Privileged Attribute Certificate (PAC), a component of the Kerberos ticket in Active Directory. PAC carries user authorization data, like group memberships. Unauthorized Privilege Escalation: By altering the PAC, attackers grant themselves additional privileges within the network, potentially gaining unauthorized access to sensitive areas and data. |
| 2410 | Suspected Kerberos SPN exposure | High | Enumerating SPNs: Attackers use tools to list service accounts and their Service Principal Names (SPNs), which are unique identifiers for each service in a Kerberos-authenticated network. Requesting Kerberos Tickets: They then request Kerberos service tickets for these identified services. Capturing and Exploiting TGS Tickets: The attackers capture Ticket Granting Service (TGS) tickets from the network’s memory and extract their hashes. Offline Brute Force Attack: These extracted hashes are saved for conducting offline brute force attacks, where attackers attempt to crack the passwords without risking detection by the network’s security systems. |
| 2412 | Suspected AS-REP Roasting attack | High | Targeting Specific Accounts: The attack focuses on accounts that have Kerberos preauthentication disabled. Preauthentication is an additional security measure in Kerberos. Sending AS-REQ Requests: Attackers send Authentication Service Request (AS-REQ) messages to the Kerberos service without the required encrypted timestamp. Receiving AS-REP Messages: In response to these requests, they receive Authentication Service Response (AS-REP) messages that contain Ticket Granting Ticket (TGT) data. Exploiting Insecure Encryption: The TGT data might be encrypted with weaker algorithms like RC4, making it more susceptible to attacks. Offline Password Cracking: Attackers save the received data for later use in offline password cracking attacks, where they attempt to decipher the encrypted credentials without alerting the network’s security mechanisms. Exposing Plaintext Credentials: The ultimate goal is to extract plaintext credentials, similar to a Kerberoasting attack, but targeting a different aspect of the Kerberos protocol. |
| 2419 | Suspicious modification of a sAMNameAccount attribute (CVE-2021-42278 and CVE-2021-42287 exploitation) | High | Attack Context: The attack occurs in Active Directory environments that have not been patched against specific vulnerabilities. It allows attackers to escalate their privileges to that of a Domain Admin. Mechanism of the Attack: The attacker initially compromises a regular user account in the domain. During Kerberos authentication, when a Ticket-Granting-Service (TGS) ticket is requested, the Key Distribution Center (KDC) tries to locate the account associated with the request. If the requested account is not found, the KDC searches again, this time appending a trailing “$” to the account name. The attacker exploits this by creating a situation where the KDC fails to find the initially requested account but succeeds when the trailing “$” is added. This is achieved by manipulating the sAMAccountName attribute. As a result, the KDC issues a TGS ticket with the privileges of the manipulated account, essentially granting the attacker Domain Admin privileges. Exploiting Specific Vulnerabilities: The attack specifically exploits CVE-2021-42278 and CVE-2021-42287, vulnerabilities in the way Active Directory handles account lookups. By leveraging these vulnerabilities, an attacker with basic domain user credentials can elevate their access to that of a domain admin. |
T1552 Unsecured Credentials
| External ID | Name | Sev. | Description |
| 2413 | Suspected AD FS DKM key read | High | Targeting AD FS Configuration: The attack focuses on the AD FS configuration database, which stores critical security elements like the token signing and token decryption certificates, along with the private keys of AD FS. Role of DKM Keys: These certificates and keys are encrypted using a technology called Distributed Key Manager (DKM) ①. AD FS uses these DKM keys for its operations, particularly for creating and verifying security tokens. Attack Mechanism: The attacker aims to access these DKM keys. Possessing these keys would allow the attacker to decrypt the certificates that are used for signing SAML tokens. This type of attack is akin to the Golden Ticket attack but targets the SAML tokens instead of Kerberos tickets. Purpose of the Attack: By gaining access to these private keys, the attacker can perform actions like the Golden SAML attack, creating SAML tokens that can be used to impersonate any user and gain unauthorized access across federated services. Detection Efforts: The security systems in place attempt to detect any unauthorized attempts to access or read the DKM keys within the AD FS environment. |
① Decryption Key Management (DKM) can be understood as a kind of container or storage mechanism for encryption keys. It’s a critical component for securely handling the keys used by ADFS, particularly for encrypting and decrypting tokens.
Physically, the DKM is not located as a standalone entity or file within the ADFS infrastructure. Instead, it’s integrated into the Active Directory (AD) environment. The DKM stores its keys in the AD database, specifically within the configuration partition. This storage is typically done in the form of objects in the AD.
Other combined Tactics
| External ID | Name | Sev. | Description |
| 2047 | Suspected rogue Kerberos certificate usage | High | Objective: The primary goal of this reconnaissance is to map the domain structure and identify privileged accounts, which can be crucial for attackers planning subsequent stages of their attack, often referred to as the “attack kill chain.” Method: Attackers use LDAP both for legitimate administrative purposes and for malicious reconnaissance. First Phase of Kerberoasting Attacks: This LDAP-focused reconnaissance is often the initial step in Kerberoasting attacks. In Kerberoasting, attackers aim to compile a list of Security Principal Names (SPNs) and subsequently attempt to acquire Ticket Granting Server (TGS) tickets for these SPNs, which can be cracked offline to reveal service account credentials. Detection and Learning Period: To differentiate between legitimate and suspicious activities, Defender for Identity does not trigger alerts for this type of activity during the first 10 days after its deployment. This period allows Defender for Identity to learn and profile normal user behaviors. After this initial learning phase, alerts are generated for computers performing unusual LDAP enumeration queries or targeting sensitive groups using methods that have not been observed before. |
| 2006 | Suspected DCSync attack (replication of directory services) | High | Malicious Replication Requests: In a DCSync attack, an attacker exploits the AD replication process ②. They simulate the behavior of a domain controller and initiate a replication request from a non-DC computer. Data Exfiltration: By doing this, the attacker can potentially retrieve sensitive data from the AD, including password hashes and other critical security information. Permissions Required: This type of attack typically requires that the attacker has already gained high-level permissions (like those of a Domain Administrator) to successfully initiate the replication request. |
| 2014 | Honeytoken authentication activity | Medium | Honeytoken Authentication as a Red Flag: Any sign of activity on a honeytoken account is a strong indicator of malicious behavior and warrants immediate investigation. Proactive Security Measure: Using honeytokens is a strategic way to lure potential attackers and detect them early in their attempts to breach the network. Monitoring and Response: Organizations should closely monitor these accounts and have protocols in place to respond swiftly if they detect activity. |
① “Security principal” typically refers to users, groups, and service accounts within the domain, each of which has a unique identity and security-related attributes.
Security Principal Reconnaissance (LDAP) is when attackers use LDAP queries to gather information (SPNs) about security principals in the domain environment, providing essential data support for subsequent attacks like Kerberoasting.
In a Kerberos Roasting attack, attackers typically use already obtained user credentials to request service tickets. “Roasting” refers to the process of offline cracking of the service tickets. Since these service tickets are encrypted with the password associated with the service account, attackers can attempt to crack these tickets offline to obtain the service account’s password. The effectiveness of this attack largely depends on the strength and complexity of the service account’s password.
② Active Directory replication is a process where changes made on one DC are synchronized across all other DCs in the network. This ensures consistency of data, including user credentials and policy settings, across the network.