T0859 Valid Accounts
Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way.
Adversaries may also create accounts, sometimes using predefined account names and passwords, to provide a means of backup access for persistence. 1
The overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) and possibly between the enterprise and operational technology environments. Adversaries may be able to leverage valid credentials from one system to gain access to another system.
| Item | Value |
|---|---|
| ID | T0859 |
| Sub-techniques | |
| Tactics | TA0110, TA0109 |
| Platforms | Control Server, Data Historian, Engineering Workstation, Field Controller/RTU/PLC/IED, Human-Machine Interface, Input/Output Server, Safety Instrumented System/Protection Relay |
| Version | 1.1 |
| Created | 21 May 2020 |
| Last Modified | 09 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| C0025 | 2016 Ukraine Electric Power Attack | During the 2016 Ukraine Electric Power Attack, Sandworm Team used valid accounts to laterally move through VPN connections and dual-homed systems.13 |
| G1000 | ALLANITE | ALLANITE utilized credentials collected through phishing and watering hole attacks. 11 |
| S0089 | BlackEnergy | BlackEnergy utilizes valid user and administrator credentials, in addition to creating new administrator accounts to maintain presence. 1 |
| S1045 | INCONTROLLER | INCONTROLLER can brute force password-based authentication to Schneider PLCs over the CODESYS protocol (UDP port 1740).8 |
| G0049 | OilRig | OilRig utilized stolen credentials to gain access to victim machines.11 |
| G0034 | Sandworm Team | In the Ukraine 2015 Incident, Sandworm Team used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications. 1211 |
| G0088 | TEMP.Veles | TEMP.Veles used valid credentials when laterally moving through RDP jump boxes into the ICS environment. 10 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0801 | Access Management | Authenticate all access to field controllers before authorizing access to, or modification of, a device’s state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS. |
| M0936 | Account Use Policies | Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. 3 |
| M0915 | Active Directory Configuration | Consider configuration and use of a network-wide authentication service such as Active Directory, LDAP, or RADIUS capabilities which can be found in ICS devices. 3 4 |
| M0913 | Application Developer Guidance | Ensure that applications and devices do not store sensitive data or credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). 2 |
| M0947 | Audit | Routinely audit source code, application configuration files, open repositories, and public cloud storage for insecure use and storage of credentials. |
| M0937 | Filter Network Traffic | Consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen credentials to access data. |
| M0932 | Multi-factor Authentication | Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining access to valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs. |
| M0927 | Password Policies | Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. 2 |
| M0926 | Privileged Account Management | Audit domain and local accounts and their permission levels routinely to look for situations that could allow an adversary to gain system wide access with stolen privileged account credentials. 5 6These audits should also identify if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. 7 |
| M0918 | User Account Management | Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls. Implement strict IAM controls to prevent access to systems except for the applications, users, and services that require access. Implement user accounts for each individual for enforcement and non-repudiation of actions. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0028 | Logon Session | Logon Session Creation |
| DS0002 | User Account | User Account Authentication |
References
-
Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ↩↩
-
CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 ↩↩
-
Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ↩↩
-
Schweitzer Engineering Laboratories 2015, August Understanding When to Use LDAP or RADIUS for Centralized Authentication Retrieved. 2020/09/25 ↩
-
Microsoft 2017, May Attractive Accounts for Credential Theft Retrieved. 2020/09/25 ↩
-
Microsoft 2018, August Implementing Least-Privilege Administrative Models Retrieved. 2020/09/25 ↩
-
Microsoft 2019, February Active Directory administrative tier model Retrieved. 2020/09/25 ↩
-
DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022. ↩
-
Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30. ↩
-
Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ↩
-
Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ↩
-
Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. ↩