There’s no doubt about it, attackers want your credentials more than anything, especially administrative credentials. Why burn a zero-day or risk noisy exploits when you can just log in instead? If you were to break into a house, would you rather throw a brick through a window or use a key to the front door?

DevOps Connect:DevSecOps @ RSAC 2022

As attackers get in and want to maintain a level of stealth, they will want to steal as many credentials as possible.

Types of Credential Access

These can be stolen via brute force, although that is a noisy attack for anyone paying the slightest attention to their systems. There are also many examples of stealing hashed passwords and either passing the hash or cracking them offline. Although pass the hash is called out later in Lateral Movement, this is the tactic in which those hashes would be stolen. The last set of techniques revolves around an attacker stealing clear-text passwords which can be stored in clear-text files, databases, or even the registry.

Many of the techniques in this tactic are examples of how an attacker would obtain passwords. In any of these cases, the same recommendation applies that we all should follow in our digital lives. Use unique and complex passwords for every account.

Most important here is not using the same local administrator password for each system. It is not unheard of to see an attacker compromise one system, steal the local hashed passwords, and crack the local administrator password. If that is the same across the enterprise, the attacker now has administrative access to the entire network.

Just as important is also using complex passwords. Requiring uppercase, lowercase, numbers, and special characters has been the basic advice for years. However, using passphrases is just as effective.

The goal here is (Read more...)