T1552.008 Chat Messages
Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.
Rather than accessing the stored chat logs (i.e., Credentials In Files), adversaries may directly access credentials within these services on the user endpoint, through servers hosting the services, or through administrator portals for cloud hosted services. Adversaries may also compromise integration tools like Slack Workflows to automatically search through messages to extract user credentials. These credentials may then be abused to perform follow-on activities such as lateral movement or privilege escalation 1.
Item | Value |
---|---|
ID | T1552.008 |
Sub-techniques | T1552.001, T1552.002, T1552.003, T1552.004, T1552.005, T1552.006, T1552.007, T1552.008 |
Tactics | TA0006 |
Platforms | Google Workspace, Office 365, SaaS |
Version | 1.0 |
Created | 14 March 2023 |
Last Modified | 11 April 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
G1004 | LAPSUS$ | LAPSUS$ has targeted various collaboration tools like Slack, Teams, JIRA, Confluence, and others to hunt for exposed credentials to support privilege escalation and lateral movement.2 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1047 | Audit | Preemptively search through communication services to find shared unsecured credentials. Searching for common patterns like “password is “, “password= ” and take actions to reduce exposure when found. |
M1017 | User Training | Ensure that developers and system administrators are aware of the risk associated with sharing unsecured passwords across communication services. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0015 | Application Log | Application Log Content |
References
-
Michael Osakwe. (2020, November 18). 4 SaaS and Slack Security Risks to Consider. Retrieved March 17, 2023. ↩
-
MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022. ↩
-
Slack Help Center. (n.d.). View Access Logs for your workspace. Retrieved April 10, 2023. ↩