Exploitation for Credential Access
Info
ID: AT-EC002
Tactic: Expanding Control
Platforms: Linux, macOS, Windows
Sub-techniques: Memory Exploitation for Credential Extraction, Stealing Tokens
Permissions Required: User, Administrator
Version: 1.0
Exploitation for Credential Access
Adversaries may exploit software vulnerabilities to obtain credentials from memory, configuration files, or other storage locations. This technique involves leveraging buffer overflows, memory corruption, or other exploitation methods to access credential stores, password managers, or authentication systems. Unlike traditional credential harvesting that relies on existing access, exploitation for credential access uses technical vulnerabilities to bypass security controls.
Common targets include web browsers with stored passwords, password management applications, authentication services, and applications that cache credentials in memory. Successful exploitation can provide access to user passwords, authentication tokens, API keys, and other sensitive authentication materials that enable further compromise.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1050 | Exploit Protection | Implement CADR exploit protection mechanisms to prevent credential access exploitation. |
| M1041 | Encrypt Sensitive Information | Implement credential encryption and secure storage mechanisms. |
| M1040 | Behavior Prevention on Endpoint | Deploy endpoint protection to detect credential extraction attempts. |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0009 | Process: OS API Execution | Alert on memory‐access APIs (ReadProcessMemory, ptrace, process_vm_readv) invoked by non-security processes and followed by binary writes or network egress. |
| CADR001 | Execution Stack Trace | Detect exploitation of arbitrary file access vulnerability by monitoring file access activity using unsanitazied user payload that result in abnormal file activity pattern. |
| DS0015 | Application Log | Review application crash or exception logs immediately preceding unusual authentication events—indicative of exploit attempts targeting credential stores. |
| DS0022 | File: File Access | Monitor reads of credential databases, password-manager vaults, or sensitive files by processes that do not normally access them. |