Show in Graph
Common Information
Type Value
Value 
Credentials in Files - T1081
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. It is possible to extract passwords from backups or saved virtual machines through Credential Dumping. (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP) Detection: While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information. Platforms: Linux, macOS, Windows Data Sources: File monitoring, Process command-line parameters Permissions Required: User, Administrator, SYSTEM System Requirements: Access to files
Details Published Attributes CTI Title
Details Website 2024-11-15 38 Dark Web Profile: Cadet Blizzard
Details Website 2024-11-15 7 AI Enhancing Your Adversarial Emulation | Google Cloud Blog
Details Website 2024-11-07 63 Weekly Intelligence Report - 08 Nov 2024 | #ransomware | #cybercrime | National Cyber Security Consulting
Details Website 2024-10-25 30 TeamTNT’s Docker Gatling Gun Campaign
Details Website 2024-10-17 16 Dark Web Profile: Evil Corp - SOCRadar® Cyber Intelligence Inc.
Details Website 2024-10-17 16 Dark Web Profile: Evil Corp
Details Website 2024-10-16 4 5 Techniques for Collecting Cyber Threat Intelligence
Details Website 2024-10-16 4 5 Techniques for Collecting Cyber Threat Intelligence - RedPacket Security
Details Website 2024-10-11 71 Weekly Intelligence Report - 11 Oct 2024 | #ransomware | #cybercrime | National Cyber Security Consulting
Details Website 2024-10-07 141 Mind the (air) gap: GoldenJackal gooses government guardrails
Details Website 2024-09-06 58 CISA Alert AA24-249A: Russian GRU Unit 29155 Targeting U.S. and Global Critical Infrastructure
Details Website 2024-09-05 396 Russian Military Cyber Actors Target US and Global Critical Infrastructure | CISA
Details Website 2024-09-04 71 AZORult Malware: Technical Analysis - ANY.RUN's Cybersecurity Blog
Details Website 2024-07-29 20 Attackers (Crowd)Strike with Infostealer Malware - Perception Point
Details Website 2024-04-11 94 Cybercriminal Campaign Spreads Infostealers, Highlighting Risks to Web3 Gaming | Recorded Future
Details Website 2024-04-01 124 From OneNote to RansomNote: An Ice Cold Intrusion
Details Website 2024-01-04 63 ATT&CK을 이용해 스스로 평가하기(APT3, Second Scenario)
Details Website 2023-11-28 81 Aki-RATs - Command and Control Party
Details Website 2023-10-05 39 Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough - ANY.RUN's Cybersecurity Blog
Details Website 2023-09-29 25 The Thin Line: Educational Tools vs. Malicious Threats - A Focus on The-Murk-Stealer - CYFIRMA
Details Website 2023-09-15 816 UNC3944: SMS Phishing, SIM Swapping, and Ransomware Attacks
Details Website 2023-08-28 135 HTML Smuggling Leads to Domain Wide Ransomware - The DFIR Report
Details Website 2023-07-25 6 APT Profile: Kimsuky - SOCRadar® Cyber Intelligence Inc.
Details Website 2023-07-20 33 Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells | CISA
Details Website 2023-07-13 43 Threat Actor Profile: BianLian, The Shape-Shifting Ransomware Group