Detect Credential Access with Elastic Security

By

Samir Bousseaden

English
blog-thumb-blind-spots.png

Preamble

Credential Access consists of techniques for stealing credentials like cookies, API keys, and passwords. It is one of the top critical tactics that is almost guaranteed to occur during an attack lifecycle, ranging from phishing to infostealer malware to more complicated post-exploitation techniques. Therefore, covering it from different angles increases opportunities for early detection and prevention. Elastic Endpoint Security 7.15 added new file and registry events to provide defenders with better visibility on techniques and procedures involving some form of sensitive files and/or registry objects access:

Hunting for Credential Access

With the Endpoint security integration enabled, you can explore those new events using generic KQL or EQL queries:

KQL and EQL queries to view file and registry events.

// EQL via Security -> Timelines -> New -> Correlation
any where event.category in ("file", "registry") 
  and event.action in ("query", "open")

// KQL via Discover
event.category : ("file" or "registry") 
  and event.action : ("open" or "query")
Below, you can see an example of file events logged as a result of running two known security assessment tools: Lazagne and Seatbelt. These tools include checks for a multitude of credentials and interesting files used in common software:
KQL query identifying Lazagne and Seatbelt
Here are some example registry events logged as a result of running Mimikatz (lsadump::sam, cache, lsa, and secrets submodules) and Seatbelt (PuttyHostKeys SSH enumeration):
KQL query identifying Mimikatz and Seatbelt
Leveraging EQL’s correlation capabilities to link those new events with other event categories (such as process, registry, network, and/or 
authentication) is a great enabler for detection and hunting.
The process.entity_id field is a globally unique identifier used to mitigate PID reuse as well as to identify a specific process over time.

This EQL query uses the process.entity_id field to detect a process accessing multiple sensitive files in a short period of time, which is usually a higher-confidence signal than looking for single file access:

Process accessing multiple sensitive files in a short period of time
sequence by process.entity_id with maxspan=1m
 [process where event.action == "start"]

 // at least 3 unique file.paths, runs=* is supported in EQL 7.16+
 [file where event.action == "open"] with runs=3
Here is an example of a match for 3 different and unrelated types of credentials (email, DPAPI system MasterKey and Sysprep unattended):
EQL query showing email, DPAPI, and Sysprep credentials
Now let’s hunt for remote access to sensitive files over SMB, such as the following:
Moving sensitive file with SMB
We can detect this behavior with EQL that correlates a remote logon event (4624) with sensitive file access by the same 
user.id:

Correlating remote logon with sensitive file access
sequence by host.id with maxspan=5m

  [authentication where event.action == "logged-in" and
    /* event 4624 need to be logged */
    winlog.logon.type : "Network" and 
    event.outcome == "success" and source.ip != null and 
    source.ip != "127.0.0.1" and 
    source.ip != "::1"] by winlog.event_data.TargetUserSid

   /* requires Elastic Endpoint Security Integration 7.15+ */
  [file where event.action == "open" and process.pid == 4] by user.id
Read more
The above query results correlate relevant fields like the source.ip, user.id, and file.path:
EQL query correlating relevant fields

Behavior Protection

In addition to being able to use those events in detection rules, Elastic Endpoint Security includes built-in malicious behavior protection rules that can automatically react to high-confidence, highly-suspicious sensitive file/registry accesses.

For example, here we can see Elastic Endpoint’s behavior protection rules catching:

Elastic Endpoint Security preventing credential theft attempts
Here are detections of Chrome Login Data file access by different infostealers (Poulight StealerAgentTesla) including lolbins (powershell script):
Elastic Endpoint Security preventing information stealing
Below are some example detections for Windows Credential Manager Store access by common stealers AgentTesla and FormBook:
Elastic Endpoint Security preventing Windows Credential Manager Store theft

Monitored File and Registry Paths

The current list of monitored file and registry paths is listed below. Due to data volume and performance concerns, the Elastic Endpoint generates only one event per process.entity_id for a given file or registry pattern in the list. From a detection point of view this won’t create any visibility gap since we emit an event on the first file or registry access performed by any process.

Monitored registry paths
registry_paths:
  # SAM - Encrypted Local Account Pwd hashes
  - '\REGISTRY\MACHINE\SAM'
  - '\REGISTRY\MACHINE\SAM\SAM\Domains\*'

  # SYSTEM - Bootkey/Syskey GBG, JD, Skew1
  - '\REGISTRY\MACHINE\SYSTEM\ControlSet00?\Control\Lsa\JD'
  - '\REGISTRY\MACHINE\SYSTEM\ControlSet00?\Control\Lsa\Skew1'
  - '\REGISTRY\MACHINE\SYSTEM\ControlSet00?\Control\Lsa\GBG'
  # SECURITY - LSA key, encrypted domain cached pwd and machine account pwd
  - '\REGISTRY\MACHINE\SECURITY\CACHE*'
  - '\REGISTRY\MACHINE\SECURITY\POLICY\SECRETS\*'

  # Registry - Putty SSH Keys
  - '\Registry\Machine\Software\SimonTatham\PuTTY\SshHostKeys\*'
  - '\Registry\User\*\Software\SimonTatham\PuTTY\SshHostKeys\*'

  # Sysadmin - WinSCP
  - '\REGISTRY\User\*\software\Martin Prikryl\WinSCP 2\Sessions\*\Password*'

  # Sysadmin - TeamViewer
  - '\REGISTRY\Machine\SOFTWARE\WOW6432Node\TeamViewer\PrxyPassword*'

  # Sysadmin - OpenVPN
  - '\REGISTRY\User\*\Software\OpenVPN-GUI\Configs\auth-data*'

  # Outlook Passwords
  - '\Registry\User\*\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\*Password'
  - '\Registry\Users\*\Software\Microsoft\Office\*.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676'
Read more
Monitored registry paths
file_paths:
  # DPAPI - User MasterKey
  # DPAPI - CREDHIST
  - 'C:\Users\*\AppData\Roaming\Microsoft\Protect\*'

  # DPAPI - System MasterKey
  - '?:\Windows\System32\Microsoft\Protect\S-1-5-18\User\*'

  # CredVault - User
  - '?:\Users\*\AppData\Roaming\Microsoft\Vault\*'
  - '?:\Users\*\AppData\Local\Microsoft\Vault\*'

  # CredVault - System
  - '?:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Vault\*'

  # CredMan - Users
  - '?:\Users\*\AppData\Roaming\Microsoft\Credentials\*'
  - '?:\Users\*\AppData\Local\Microsoft\Credentials\*'

  # CredMan - System
  - '?:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\*'
  - '?:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Credentials\*'

  # CredMan - Service
  - '?:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\*'
  - '?:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Credentials\*'
  - '?:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Credentials\*'
  - '?:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Credentials\*'

  # Unattended creds
  - '?:\Windows\Panther\Unattend.xml'
  - '?:\Windows\Panther\Unattended.xml'
  - '?:\Windows\Panther\Unattend\Unattended.xml'
  - '?:\Windows\Panther\Unattend\Unattend.xml'
  - '?:\Windows\System32\Sysprep\unattend.xml'
  - '?:\Windows\System32\Sysprep\Panther\unattend.xml'

  # Browser
  - '*\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*\key*.db'
  - '*\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*\logins.json'
  - '*\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*\cert*.db'
  - '*\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*\cookies.sqlite'
  - '*\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*\signons.sqlite'
  - '*\Users\*\User Data\Default\Login Data'
  - '*\users\*\AppData\Local\*\User Data\Default\Cookies'
  - '*\Users\*\AppData\Roaming\Opera Software\Opera Stable\*'

  # RDP
  - '*\Users\*\AppData\Local\Microsoft Corporation\Remote Desktop Connection Manager\RDCMan.settings'
  - '*\Users\*\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings'

  # Database - SVN
  - '?:\Users\*\AppData\Roaming\Subversion\auth\svn.simple'

  # Database - postgresql
  - '?:\Users\*\AppData\Roaming\postgresql\pgpass.conf'

  # Database - robomongo
  - '?:\Users\*\.3T\robo-3t\*\robo3t.json'
  - '?:\users\*\.3T\robomongo\*\robomongo.json'
  - '?:\users\*\.config\robomongo\*\robomongo.json'

  # Database - squirrel
  - '?:\Users\*\.squirrel-sql\SQLAliases23.xml'

  # Database - DbVisualizer
  - '?:\Users\*\.dbvis\config70\dbvis.xml'

  # Database - SQL Developer
  - '?:\Users\*\AppData\Roaming\SQL Developer\system*\o.jdeveloper.db.connection.*\connections.xml'
  - '?:\Users\*\AppData\Roaming\SQL Developer\system*\o.sqldeveloper.*\product-preferences.xml'

  # Cloud - AWS
  - '?:\Users\*\.aws\credentials\*'

  # Cloud - GCloud
  - '?:\Users\*\AppData\Roaming\gcloud\*'

  # Cloud - Azure
  - '?:\Users\*\.azure\*'

  # Cloud - Github
  - '?:\Users\*\.config\git\credentials'

  # Cloud - iCloud
  - '?:\users\*\AppData\Roaming\Apple Computer\Preferences\*'

  # Private Keys & Certs & Keepass
  - '*.pem'
  - '*.pfx'
  - '*.p12'
  - '*.pvk'
  - '*.key'
  - '*.ppk'
  - '*.rdg'
  - '*.kdb'
  - '*.kdbx'

  # Config - IIS Connection Strings
  - '?:\inetpub\wwwroot\*\web.config'

  # FileZilla Creds
  - '?:\Users\*\AppData\Roaming\FileZilla\*'

  # Jenkins Creds
  - '*\credentials.xml'
  - '*\secrets\master.key'
  - '*\secrets\hudson.util.Secret'

  # SSH and SSL
  - '?:\users\*\.ssh\*'

  # WIFI
  - '?:\\ProgramData\\Microsoft\\Wlansvc\\Profiles\\Interfaces\\*\\*.xml'

  # Collab
  - '?:\Users\*\AppData\Roaming\Slack\Cookies\*'
  - '?:\Users\*\AppData\Roaming\Slack\storage\slack-downloads\*'

  # GPP - 'Creds (legacy domains)

  - '?:\ProgramData\Microsoft\Group Policy\History\*\MACHINE\Preferences\Groups\Groups.xml'
  - '?:\ProgramData\Microsoft\Group Policy\History\*\MACHINE\Preferences\DataSources.xml'
  - '?:\ProgramData\Microsoft\Group Policy\History\*\MACHINE\Preferences\ScheduledTasks\ScheduledTasks.xml'
  - '?:\ProgramData\Microsoft\Group Policy\History\*\MACHINE\Preferences\Services\Services.xml'
  - '?:\ProgramData\Microsoft\Group Policy\History\*\MACHINE\Preferences\Registry\registry.xml'
  - '?:\Users\*\AppData\Roaming\KeePass\KeePass*'

  # Thunderbird
  - '?:\Users\*\AppData\Roaming\Thunderbird\Profiles\*.default*\*'

  # VPN
  - '?:\Users\*\AppData\Local\NordVPN\NordVPN.exe*\user.config'

  # NTDS.DIT
  - '*\NTDS.DIT'

  # SAM
  - '*\SAM'
Read more

Closing thoughts

Leveraging the new events that are collected with our kernel mode driver, and not subject to user mode tampering, we expanded our detection and prevention coverage for both credential discovery and access. Furthermore, combining it with the correlation features of Elastic EQL, we can create interesting hunts and detection rules for a variety of scenarios, with minimal false positive rates.

References

  • Elastic Security Labs Newsletter

    Sign up

Related content

See all top stories

Videos

Click, Click… Boom! Automating Protections Testing with Detonate

To automate this process and test our protections at scale, we built Detonate, a system that is used by security research engineers to measure the efficacy of our Elastic Security solution in an automated fashion.

By
Jessica David
Hez Carty
...
Videos

REF2924: how to maintain persistence as an (advanced?) threat

Elastic Security Labs describes new persistence techniques used by the group behind SIESTAGRAPH, NAPLISTENER, and SOMNIRECORD.

By
Remco Sprooten
Videos

Not sleeping anymore: SOMNIRECORD's wake-up call

Elastic Security Labs researchers identified a new malware family written in C++ that we refer to as SOMNIRECORD. This malware functions as a backdoor and communicates with command and control (C2) while masquerading as DNS.

By
Salim Bitam