CAPEC-653: Use of Known Operating System Credentials

Description

An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.

Extended Description

This attack can be extremely harmful when the operating system credentials used are for a root or admin user. Once an adversary gains access using credentials with elevated privileges, they are free to alter important system files which can effect other users who may use the system or other users on the system's network.

Severity :

High

Possibility :

High

Type :

Standard

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-16: Dictionary-based Password Attack Dictionary-based Password Attack CAPEC-49: Password Brute Forcing Password Brute Forcing CAPEC-50: Password Recovery Exploitation Password Recovery Exploitation CAPEC-55: Rainbow Table Password Cracking Rainbow Table Password Cracking CAPEC-70: Try Common or Default Usernames and Passwords Try Common or Default Usernames and Passwords CAPEC-151: Identity Spoofing Identity Spoofing CAPEC-560: Use of Known Domain Credentials Use of Known Domain Credentials CAPEC-561: Windows Admin Shares with Stolen Credentials Windows Admin Shares with Stolen Credentials CAPEC-565: Password Spraying Password Spraying CAPEC-568: Capture Credentials via Keylogger Capture Credentials via Keylogger CAPEC-600: Credential Stuffing Credential Stuffing CAPEC-644: Use of Captured Hashes (Pass The Hash) Use of Captured Hashes (Pass The Hash)

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

The system/application uses one factor password-based authentication, SSO, and/or cloud-based authentication.
The system/application does not have a sound password policy that is being enforced.
The system/application does not implement an effective password throttling mechanism.
The adversary possesses a list of known user accounts and corresponding passwords that may exist on the target.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Low Once an adversary obtains a known credential, leveraging it is trivial.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

A list of known credentials for the targeted domain.

A custom script that leverages a credential list to launch an attack.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-262: Not Using Password Aging

CWE-263: Password Aging with Long Expiration

CWE-307: Improper Restriction of Excessive Authentication Attempts

CWE-308: Use of Single-factor Authentication

CWE-309: Use of Password System for Primary Authentication

CWE-522: Insufficiently Protected Credentials

CWE-654: Reliance on a Single Factor in a Security Decision

Visit http://capec.mitre.org/ for more details.