MITRE ATT&CK vulnerability spotlight: Exploitation for credential access
MITRE is a federally-funded research and development center (FFRDC) for the U.S. government. As an FFRDC, MITRE performs a variety of different functions for the government, including acting as a trusted third party for evaluations and audits and performing research on topics of value to the U.S. federal government.
One of the products of MITRE’s cybersecurity research and development efforts is the MITRE ATT&CK framework. The goal of the MITRE ATT&CK framework is to raise awareness of the tactics and procedures used by cyber threats during their attacks.
The MITRE ATT&CK framework breaks down the life cycle of a cyberattack into its component stages. For each stage of the attack life cycle, MITRE provides a list of the methods that can be used to accomplish that phase of the attack. For each of these methods, information is provided about how the particular method works, affected systems and how to detect and mitigate it.
What is exploitation for credential access?
One of the stages of the cyberattack life cycle based on the MITRE ATT&CK framework is credential access. In this stage, an attacker attempts to gain access to the credentials of legitimate users on a system. These credentials can then be leveraged to gain initial access to a system or expand an attacker’s foothold and access by opening up new and potentially more powerful accounts.
Exploitation for credential access is one of the methods for completing this stage of a cyberattack. This method is a fairly general one that covers a wide variety of different specific techniques. In general, any time that an attacker exploits a vulnerability on a system with the goal of stealing user credentials, it qualifies as exploitation for credential access.
Examples of exploitation for credential access
Since this tactic in the MITRE ATT&CK framework is so general, there are a number of specific ways in which an attacker can perform it. One of these ways is through exploitation of an SQL injection vulnerability.
In SQL injection, an attacker takes advantage of poor input sanitization and the fact that commands and user-provided data are intermingled within an SQL query. If an attacker performs an SQL injection attack against a database containing user credentials via a user login portal, they may be able to gain access to the usernames and password hashes stored in the database. These passwords can then be cracked to reveal a user’s password, allowing the attacker to log into the system.
Another example involves forcing a Windows machine to try to authenticate to a remote server. If a Windows machine with single-sign on (SSO) enabled is tries to resolve a link that includes a file for a remote server that requires authentication, the Windows machine will send the NTLM network authentication challenge response to the remote server. From this value, the user’s NTLM password hash can be computed, allowing an attacker to crack the password and gain access to the server.
These two examples involve theft of user credentials by exploiting a vulnerable system. However, this tactic also includes exploitation of vulnerabilities that allow an attacker to bypass the need for user credentials entirely. An example of this is vulnerability MS14-068, which allows an attacker with domain user permissions to forge a Kerberos ticket that elevates their permissions to the level of domain administrator. At this point, the attacker can then compromise any computer within the domain.
Detection and mitigation
The methods for detecting exploitation for credential access depend on the vulnerability exploited by the attacker. Different vulnerabilities are exploited in different ways and can be detected by analysis of different data. If an exploit fails, the failure may be logged, which is an indicator of an attempted attack.
However, it is possible to detect these attacks in general by monitoring for their effects. The end result of this tactic is that an attacker gains access to a valid account on the system. If a previously dormant account becomes active or an account’s behavior changes, this can indicate a successful exploit for credential access.
Protecting against this tactic requires ensuring that an attacker cannot exploit a vulnerability on a system that could be used to gain access to protected credentials. One means of accomplishing this is to run any potentially vulnerable applications in a sandbox. This isolation minimizes the impacts of exploitation, and execution in a sandbox environment can make attacks easier to detect.
For software that cannot be run in sandboxed environments, organizations should deploy defenses designed to identify attempted exploitations. These include solutions like Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET).
Finally, an organization should do what they can to decrease the probability that an attacker has an opportunity to exploit a vulnerability undetected. Patching known software vulnerabilities and leveraging threat intelligence to identify and block the latest types of attacks can ensure that the organization can prevent or identify and respond to an incident before the attacker can take advantage of it.
Conclusion: Protecting against exploitation for credential access
Organizations must contend with a rapidly growing number of software vulnerabilities on their systems. As these vulnerabilities become more common, organizations are less capable of detecting and remediating all of them, and the probability that an attacker can steal user credentials through exploiting one of them increases.
Protecting against exploitation for credential access requires organizations to take a multi-stage approach to defense. Identifying and remediating vulnerabilities that can be exploited for credential access is always good, but an organization likely will not be able to find all of them or detect attempts to exploit them for access to user credentials.
As a result, it is also important to monitor for indications that an attacker has successfully performed an attack. This includes any deviant or suspicious behavior that may indicate that a user account has been compromised.