Info
ID: AT-EC002.001
Technique: Exploitation for Credential Access
Tactic: Expanding Control
Platforms: Linux, macOS, Windows
Permissions Required: User, Administrator
Version: 1.0
Memory Exploitation for Credential Extraction
Memory exploitation for credential extraction involves targeting application memory spaces to extract sensitive authentication information during the "Expanding Control" phase of an attack. After gaining initial access to a system, attackers leverage memory-related vulnerabilities such as buffer overflows, heap spraying, or use-after-free conditions to access regions of memory where credentials are temporarily stored in cleartext. This technique circumvents disk-based credential protection mechanisms by targeting the application's runtime memory state, where encryption may be temporarily removed for authentication processing. Sophisticated attackers may inject code that hooks memory management functions, intercepts cryptographic operations, or dumps process memory selectively when authentication data is present. Common targets include web browsers storing session cookies, password managers during unlock operations, and enterprise applications that cache credentials for transparent authentication. Unlike traditional credential harvesting that relies on filesystem artifacts, memory exploitation allows attackers to obtain credentials that might never be written to disk in unencrypted form, making detection significantly more challenging and expanding their control within the compromised environment.
Data Sources
- Process Monitoring: Memory access patterns and process injection activities
- Memory Analysis: Memory dumps and credential storage analysis
- System Call Monitoring: System calls related to memory management and access
- Application Logs: Memory access violations and security events
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0009 | Process: OS API Execution | Detect suspicious use of ptrace, process_vm_readv, VirtualQueryEx followed by bulk memory reads on authentication processes. |
| DS0009 | Process: Process Access | Alert when a low-privilege process opens a handle to high-privilege processes with PROCESS_VM_READ rights. |
| DS0015 | Application Log | Correlate segmentation faults or access-violation events within security-critical processes with subsequent network egress. |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1040 | Behavior Prevention on Endpoint | Implement memory protection and exploit prevention capabilities |
| M1041 | Encrypt Sensitive Information | Implement credential encryption in memory and secure memory management |
| M1050 | Exploit Protection | Implement address space layout randomization and memory protection mechanisms |