본문 바로가기
Security/News

MITRE Att@ck - T1555.004 Credentials from Password Stores: Windows Credential Manager

by 올엠 2022. 4. 5.
반응형

MITRE Att@ck 공격 기법중 Credentials from Password Stores: Windows Credential Manager를 통한 방법이 새로 업데이트 되어 공유한다.

새로 공유된 내용은 Vault 에 저장되어 있는 크리덴셜을 검색하는 공격 기법이다.

만약 SIEM과 같은 위협 모니터링 시스템이 있다면 Valut 사용시 등록하여 Vault에 저장된 주요 정보에 엑세스 시도를 막을 수 있을 것이다. 

Credentials from Password Stores, Technique T1555 - Enterprise | MITRE ATT&CK®

 

Credentials from Password Stores, Technique T1555 - Enterprise | MITRE ATT&CK®

 

attack.mitre.org

attack_technique: T1555.004
display_name: 'Credentials from Password Stores: Windows Credential Manager'
atomic_tests:
- name: Access Saved Credentials via VaultCmd
  description: |
    List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe
    Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos
    https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/
    https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
  supported_platforms:
    - windows
  executor:
    name: command_prompt
    elevation_required: false
    command: |
      vaultcmd /listcreds:"Windows Credentials"

 

 

참조 

 

Detecting Adversary Tradecraft with Image Load Event Logging and EQL

While examining some malicious Microsoft Office and PE files to look for detection opportunities, I came across a few samples where…

medium.com

 

The Windows Vaults

The Windows Vault stores your login credentials for servers and sites. How easy is it to transfer them to another computer? Very!

blog.malwarebytes.com

 

반응형

댓글0