There’s no doubt, attackers want your credentials i.e. administrative credentials or valid account. Valid accounts in a nutshell, “Accounts which are acceptable or authenticated”. One of the stages in the MITRE’s attack life cycle is the evasion of the defensive solutions put in place by the network defenders. Most cybersecurity defences are designed to be equivalent to a lock on the front door. Anyone without a valid key should not be able to open the door without being noticed. As a result, attackers often have to find ways to circumvent these protections (similar to lock picking or breaking down the door). However, another option for getting past a lock is stealing and using the key designed for it. If the theft of the key is subtle enough, then this method can be the most subtle option for gaining access. For cyber attackers that requires a subtle approach, stealing and using valid credentials is a good option.
This stage of initial access offers many options for attackers, one such is the use of valid accounts:(https://attack.mitre.org/techniques/T1078/).
Types of Valid Accounts:
Accounts that an adversary may use can fall into four categories:
Default Account: (T1078.001)
Accounts that are built-into an OS such as Guest or Administrator account on Windows systems or default factory/provider set accounts on other types of systems, software, or devices.
Local Accounts: (T1078.003)
Accounts that are configured by an organization for use by users, remote support, services, or for administration on a single system or service
Domain accounts: (T1078.002)
Accounts that are managed by Active Directory Domain Services, where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.
Cloud Accounts: (T1078.004) :
Accounts that are created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management systems, such as Window Active Directory. Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases.
How to get credentials of a valid account?
Attackers with good-knowledge can acquire credentials through social engineering or specially-crafted lookalike websites that tricks a user into divulging their username and password.
One such example is the use of phishing attacks, here the main goal is credential theft. These phishing emails are designed to mimic a legitimate communication from an organization that the recipient would trust and convince them to take an immediate action like entering their credentials into a web page (controlled by the attacker), allowing the phisher to steal the credentials in question.
Let’s say an adversary has access to one such valid account, or he has stolen credentials of a specific user or service account using Credential Access techniques or captured credentials earlier in the reconnaissance process through social engineering for means of gaining Initial Access.
This access separates an adversary from impersonating as someone else, or even as a service running on a system. By using Valid Accounts an adversary can often go undetected within an environment or on a website. And generally the system or website are none the wiser to identify, if it is a legitimate user or an intruder.
We can get the credentials from Locations like:
As we know internet is vast and the amount of content published on it every day, every second, is unfathomable, but we can still expect it to help us. We need to find a way to cut through the chaff and get the information that’s valuable to us i.e. a valid credential.
- WEBSITE [ emails,contact number, domains etc ]
- CERTIFICATIONS [ domain info ]
- SOCIAL MEDIA [ employees details , emails ]
- CLOUD SERVICES
- IMAGE [geo location ]
- DARK WEB
Red Team: Attack Scenario
In the below example we have leveraged the BeEF – The Browser Exploitation Framework Project to clone the Gmail login page and serve it up as a phishing website to an unsuspecting user. He is convinced to enter his account credentials, once he enters he will be redirected to the attacker’s website as shown below. And his credentials will be captured, which can be used for further exploitation.
Captured credentials of the user:
Once credentials are captured, these will help them to access systems outside the employee’s normal usage, i.e. outside the employee’s normal work schedule.
Attackers will try to increase the scope and utility of their foothold on the system. Credentials shared between multiple systems in a network may allow the attacker to move laterally and compromise additional computers within the network.
Detecting the use of valid accounts to evade cybersecurity defences requires going beyond the standard password-based system for user authentication. If an attacker has stolen a user’s credentials,
- It is necessary to be able to differentiate between the legitimate user and the attacker who has access to their credentials.
One means of detection is performing behavioural monitoring and analysis of user accounts. For example, a particular employee typically only uses their computer for browsing the Internet and word processing.
- An alert should be raised if that account is suddenly using SSH to access other machines and performing database lookups.
Another way to find potential compromises involve correlating information from multiple sources.
- Like identifying that a user is logged into multiple accounts simultaneously or that a user is “locally” using a computer when building access logs show that they’re not currently on-site.
For cloud accounts, we can
- Perform regular audits to detect abnormal or malicious activity, such as accessing information outside of the normal function of the account or account usage at atypical hours.
Protecting against and mitigating attacks using valid accounts involves attempting to cut it off, at every stage of its life cycle. A first step is attempting to prevent the compromise of the valid credentials in the first place, like:
- Scanning for and protecting against phishing emails.
- Installing antivirus on all machines to detect keyloggers.
- Monitoring for attempts to extract the /etc/shadow or SAM files containing password hashes.
- Efforts should also be made to minimize the impact of the breach of user credentials.
Password management best practices should be enforced, like:
- Requiring strong passwords for all accounts
- Minimizing the scope and permissions of any accounts
- Periodically searching for unused or unauthorized domain or local accounts
- Monitoring for known breaches of user credentials (i.e. enabling alerts with Firefox, HaveIBeenPwned, etc.) and requiring a password reset if found
- Changing default credentials installed on all machines
- Periodically change SSH keys when possible
Conclusion: Protecting against misuse of valid accounts:
Many systems use the password-based authentication model for managing access to systems and services despite the fact that passwords are shown again and again to be an insecure method of managing access. Augmenting password-based authentication with multi-factor authentication (MFA) is always a good idea, as well as not relying solely on passwords to manage access.
Monitoring accounts for unusual behavior or evidence of a breach is an important component of protecting against this type of attack.