T1081.md

T1081 - Credentials in Files

Description from ATT&CK

Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

It is possible to extract passwords from backups or saved virtual machines through Credential Dumping. (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)

Atomic Tests

• Atomic Test #1 - Browser and System credentials

• Atomic Test #2 - Extract credentials from files

• Atomic Test #3 - Mimikatz & Kittenz

• Atomic Test #4 - Extracting credentials from files

Atomic Test #1 - Browser and System credentials

LaZagne Source

Supported Platforms: macOS

Run it with sh!

python2 laZagne.py all

Atomic Test #2 - Extract credentials from files

Extracting credentials from files

Supported Platforms: macOS, Linux

Inputs

Name	Description	Type	Default Value
file_path	Path to search	String	/

Run it with sh!

grep -riP password #{file_path}

Atomic Test #3 - Mimikatz & Kittenz

Mimikatz/kittenz - This will require a Mimikatz executable or invoke-mimikittenz ps module.

Supported Platforms: Windows

Run it with powershell!

invoke-mimikittenz
mimikatz.exe

Atomic Test #4 - Extracting credentials from files

Extracting Credentials from Files

Supported Platforms: Windows

Run it with powershell!

findstr /si pass *.xml | *.doc | *.txt | *.xls
ls -R | select-string -Pattern password