CAPEC-643: Identify Shared Files/Directories on System

Description

An adversary discovers connections between systems by exploiting the target system's standard practice of revealing them in searchable, common areas. Through the identification of shared folders/drives between systems, the adversary may further their goals of locating and collecting sensitive information/files, or map potential routes for lateral movement within the network.

Extended Description

Attacks of this kind often target management services over commonly used ports such as SSH, FTP, Telnet, LDAP, Kerberos, MySQL, and more. Additional targets include Single Sign-On (SSO) or cloud-based applications/services that utilize federated authentication protocols, and externally facing applications.

The primary goal of Credential Stuffing is to achieve lateral movement and gain authenticated access to additional systems, applications, and/or services. A successfully executed Credential Stuffing attack could result in the adversary impersonating the victim or executing any action that the victim is authorized to perform.

Although not technically a brute force attack, Credential Stuffing attacks can function as such if an adversary possess multiple known passwords for the same user account. This may occur in the event where an adversary obtains user credentials from multiple sources or if the adversary obtains a user's password history for an account.

Credential Stuffing attacks are similar to Password Spraying attacks (CAPEC-565) regarding their targets and their overall goals. However, Password Spraying attacks do not have any insight into known username/password combinations and instead leverage common or expected passwords. This also means that Password Spraying attacks must avoid inducing account lockouts, which is generally not a worry of Credential Stuffing attacks. Password Spraying attacks may additionally lead to Credential Stuffing attacks, once a successful username/password combination is discovered.

Severity :

Medium

Possibility :

Medium

Type :

Detailed

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-165: File Manipulation File Manipulation CAPEC-309: Network Topology Mapping Network Topology Mapping CAPEC-545: Pull Data from System Resources Pull Data from System Resources CAPEC-561: Windows Admin Shares with Stolen Credentials Windows Admin Shares with Stolen Credentials

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

The adversary must have obtained logical access to the system by some means (e.g., via obtained credentials or planting malware on the system).

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Low Once the adversary has logical access (which can potentially require high knowledge and skill level), the adversary needs only the capability and facility to navigate the system through the OS graphical user interface or the command line. The adversary, or their malware, can simply employ a set of commands that search for shared drives on the system (e.g., net view \\remote system or net share).

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Network Share Discovery

Resources required

None: No specialized resources are required to execute this type of attack.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-267: Privilege Defined With Unsafe Actions

Visit http://capec.mitre.org/ for more details.