English
Français
Light
Dark
System

CVEFind - Alertes CVE

Restez informé en continue
Créer un compte Ouvrez un compte Simple et Gratuit Se connecter Gérez vos alertes

CAPEC-561

Windows Admin Shares with Stolen Credentials
Draft
2015-11-09 00:00 +00:00
2022-09-29 00:00 +00:00
CAPEC Mitre.org

Alerte pour un CAPEC

Restez informé de toutes modifications pour un CAPEC spécifique.
Gestion des alertes

Description

An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.

Informations

Execution Flow

1) Explore

[Acquire known Windows administrator credentials] The adversary must obtain known Windows administrator credentials in order to access the administrative network shares.

Technique
  • An adversary purchases breached Windows administrator credentials from the dark web.
  • An adversary leverages a key logger or phishing attack to steal administrator credentials as they are provided.
  • An adversary conducts a sniffing attack to steal Windows administrator credentials as they are transmitted.
  • An adversary gains access to a Windows domain system/files and exfiltrates Windows administrator password hashes.
  • An adversary examines outward-facing configuration and properties files to discover hardcoded Windows administrator credentials.

2) Experiment

[Attempt domain authentication] Try each Windows administrator credential against the hidden network shares until the target grants access.

Technique
  • Manually or automatically enter each administrator credential through the target's interface.

3) Exploit

[Malware Execution] An adversary can remotely execute malware within the administrative network shares to infect other systems within the domain.

4) Exploit

[Data Exfiltration] The adversary can remotely obtain sensitive data contained within the administrative network shares.

Prerequisites

The system/application is connected to the Windows domain.
The target administrative share allows remote use of local admin credentials to log into domain systems.
The adversary possesses a list of known Windows administrator credentials that exist on the target domain.

Skills Required

Once an adversary obtains a known Windows credential, leveraging it is trivial.

Resources Required

A list of known Windows administrator credentials for the targeted domain.

Mitigations

Do not reuse local administrator account credentials across systems.
Deny remote use of local admin credentials to log into domain systems.
Do not allow accounts to be a local administrator on more than one system.

Faiblesses connexes

CWE-ID Nom de la faiblesse
CWE-522 Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
CWE-308 Use of Single-factor Authentication
The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.
CWE-309 Use of Password System for Primary Authentication
The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.
CWE-294 Authentication Bypass by Capture-replay
A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
CWE-263 Password Aging with Long Expiration
The product supports password aging, but the expiration period is too long.
CWE-262 Not Using Password Aging
The product does not have a mechanism in place for managing password aging.
CWE-521 Weak Password Requirements
The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

References

REF-577

Overview of problems that may occur when administrative shares are missing
https://support.microsoft.com/en-us/help/842715/overview-of-problems-that-may-occur-when-administrative-shares-are-mis

REF-578

HAPT15 is alive and strong: An analysis of RoyalCli and RoyalDNS
Rob Smallridge.
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/

REF-579

Operation Cobalt Kitty: Cybereason Labs Analysis
Assaf Dahan.
https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf

Submission

Name Organization Date Date Release
CAPEC Content Team The MITRE Corporation 2015-11-09 +00:00

Modifications

Name Organization Date Comment
CAPEC Content Team The MITRE Corporation 2019-04-04 +00:00 Updated Related_Weaknesses
CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated Consequences, Description, Example_Instances, Execution_Flow, Indicators, Mitigations, Prerequisites, References, Related_Attack_Patterns, Related_Weaknesses, Resources_Required, Skills_Required, Taxonomy_Mappings
CAPEC Content Team The MITRE Corporation 2020-12-17 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00 Updated Description, Extended_Description

Plus d'informations
Cliquez sur le bouton à gauche (OFF), pour autoriser l'inscription de cookie améliorant les fonctionnalités du site. Cliquez sur le bouton à gauche (Tout accepter), pour ne plus autoriser l'inscription de cookie améliorant les fonctionnalités du site.