MITRE ATT&CK vulnerability spotlight: Credentials in registry

Introduction

MITRE is a U.S. government federally-funded research and development center (FFRDC). Its purpose is to act as a trusted third-party for the U.S. government, perform research and development, and provide unbiased audits of commercial tools, processes and more for the government.

As part of MITRE’s research and development efforts, they have developed the MITRE ATT&CK tool to help formalize cybersecurity research and development, penetration testing exercises and design of cybersecurity defenses. The MITRE ATT&CK tool breaks the life cycle of a cyberattack into discrete stages with specific objectives and describes the various means by which each objective could be achieved by an attacker.

Why are credentials in the registry?

One of the attack stages as described in the MITRE ATT&CK tool is credential access, where a hacker tries to steal user credential information to gain access to new accounts or elevate privileges on a compromised system. One of the means by which an attacker can perform this stage of an attack is by extracting credentials from where they are stored in the Windows registry.

The Windows registry acts as a system-wide configuration file for the Windows OS and the applications running on it. It has a hierarchical structure with a few root “hives” and trees of subfolders. These subfolders can contain other folders and/or registry keys of a given parameter and its value.

Sponsorships Available

Sponsorships Available

Sponsorships Available

Windows provides the ability to secure different keys within the Windows registry at different levels. Several different permissions can be given to a registry key and they include access control lists that describe who has those permissions.

If an attacker has the necessary level of access to a target system, they might be able to extract user credentials from the Windows registry. Credential information is stored in the registry for a few different reasons:

• (Read more...)