One of MITRE’s efforts in the field of cybersecurity is the development and maintenance of the MITRE ATT&CK matrix. This tool breaks down the life cycle of a standard cyberattack into phases and describes the different means by which an attacker could achieve the objectives of each phase.

Why are credentials in files?

The MITRE ATT&CK matrix breaks the cyberattack life cycle into phases, one of which is credential access. At this point in the attack, the hacker is attempting to gain access to user credentials that can then be used to gain access to accounts or escalate privileges on a system. One of the methods that an attacker can accomplish this stage of the attack is by searching for and extracting user credentials from files on a compromised system. Best practice states that user credentials should be properly protected and stored in an encrypted fashion, not saved in plaintext in a file. However, user credentials can end up in unprotected files for a variety of different purposes:

End users: Some computer users don’t use or trust password managers and prefer to store their account passwords in a text file on their system Credential stores: Groups of users may have shared credential stores for shared accounts or collections of individual accounts Configuration files: Configuration files for applications may contain credentials, API keys and so on for communication with other programs or online accounts Hard-coded credentials: Some applications may contain hard-coded credentials designed for interaction with accounts or other applications Cloud computing: Credentials are frequently stored in configuration and credential files on the cloud deployment Log files: An application may securely obtain user credentials but save them to a log file or crash report on the system

These are only some of the reasons that user credentials can end up in insecure files on a system. However, regardless of the reason, credentials stored unencrypted could be vulnerable to an attacker with access to the system. Many tools and types of malware include functionalities designed to identify and exfiltrate data that appears to be a password or other authentication information.

Examples of credentials in files

Credentials can end up in files for a variety of different reasons. There are certainly cases where people put them there intentionally. Many people consider a text document on their laptop or phone as a convenient place to store their usernames and passwords. However, credentials can also end up in files unintentionally. This happened to Facebook in a widely-publicized incident revealed in March 2019 — an incident which had been ongoing since 2012. Facebook is a platform, and Facebook developers are among those who are able to develop applications to run on the platform. Unfortunately, Facebook also allowed these applications to have access to plaintext passwords. The applications in question had logging code designed to deal with errors, track certain events and more. However, these logs also had the ability to access users’ plaintext passwords and store them to internal Facebook servers. The Facebook passwords of between 200 and 600 million Facebook users were stored unencrypted in databases that were accessible to Facebook developers and engineers. Facebook discovered no indication that these logs had been breached or that access to them had been misused by the 20,000 Facebook employees that had access. However, the incident represents a major potential security issue for Facebook and demonstrates that password storage in files is not always intentional.

Detection and mitigation

Detecting hard-coded passwords in files requires performing the same scanning operations that a hacker would do to find these passwords. If a user’s password is weak, scanning against lists of common passwords might help to find it; however, there will likely be a large number of false positives. While searching for the word password (and variations) can be effective in some cases, it can easily miss others. Some techniques to decrease the search complexity of finding stored passwords include:

Searching for names of common services Searching for the username as well Searching for files updated near the time of a password update Searching for strings that match password policies and formats of common credentials (such as API keys) Searching Active Directory for accounts with non-expiring passwords (may be non-expiring since they are hard-coded in scripts)

While searching for passwords leaked in files is likely to find the ones that an attacker would find as well, it’s not a perfect solution. Ideally, users should know not to store their credentials in files, so training is an important component of defense. However, mistakes can be made and not all credentials are placed in files by users. Restricting an attacker’s access to different files and directories through strict access controls on a computer, implementing least privilege to ensure that an attacker does not have the ability to read all files on a machine and configuring Active Directory to remove vulnerable Group Policy Preferences are all important steps in ensuring that attackers can’t find valuable credentials within files.

Conclusion: Protecting against credentials in file

Account credentials can end up in unprotected files for a variety of reasons. Some users will believe that their credentials are safest and most usable in a text file on the desktop, developers may hard-code credentials into applications to ensure that they run efficiently and application logging may leak plaintext passwords. User training and scanning for leaked credentials is an important component of minimizing the number and impact of credentials stored in files. However, some credentials will always be leaked in some way, whether through inclusion in files, data breaches or other means. Implementing least privilege and multi-factor authentication and monitoring user accounts for indicators of compromise are the best way to protect the organization.  

Sources

Credentials in Files, MITRE Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years, Krebs on Security Finding hard coded passwords in text files, Spiceworks