|
Unsecured Credentials: Credentials In Files
Other sub-techniques of Unsecured Credentials (4)
| ID | Name |
|---|---|
| T1552.005 | Cloud Instance Metadata API |
| T1552.001 | Credentials In Files |
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
It is possible to extract passwords from backups or saved virtual machines through
OS Credential Dumping [MITRE]
. Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.
In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files. They may also be found as parameters to deployment commands in container logs. In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.
AWS Specific Content
A prerequisite of this technique is that the credentials of an AWS IAM identity are stored in an unsecured manner, either on a local file system, or on the public internet.
Threat actors may search on-premise local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
A file commonly associated with this technique is the
.env file, which is an environment variable file used on some services and operating systems. This file is used to store configuration information about the host service or operating system on the host, but can also contain long-term AWS IAM credentials saved within the file. AWS credentials have also previously been found in files publicly available via GitHub and used by threat actors to gain access into an AWS account.Detection
AWS Specific Content
Actions taken by any IAM credentials are logged in AWS CloudTrail - you should review your environment to see if any IAM credentials are sourced in files used by your workloads.
Mitigation
AWS Specific Content
In the case where a threat actor is able to find AWS credentials in unsecured files, the following security best practices in IAM will help to mitigate the unauthorized use of IAM user credentials found. The security best practices include migrating away from using long-term credentials to using temporary credentials. Requiring the use of multi-factor authentication (MFA), rotating and updating access keys when needed, and applying least-privilege permissions to IAM users can also be beneficial for mitigation.
Additionally, git-secrets can help prevent you from committing passwords and other sensitive information to a git repository.
The following Service Control Policy can be used to limit the IP addresses that IAM users can make requests from to a trusted range. This helps prevent access key use by unauthorized parties from unexpected IP addresses:
{
"Version": "2012-10-17",
"Statement": {
"Sid": "RestrictIAMBySourceIP",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"192.0.2.0/24",
"203.0.113.0/24"
]
},
"BoolIfExists": {
"aws:ViaAWSService": "false"
},
"ArnLike": {
"aws:PrincipalArn": "arn:aws:iam::*:user/*"
}
}
}
}