Tip: Use EDR to help eliminate the use of password documents in your organizations
During a recent engagement with a client, we had one of the usual discoveries of passwords stored in clear-text on a users workstation. Red Teamers know this is an ubiquitous issue and one of the first few things searched for when we gain access to a user’s workstation. This problem is amplified as the size of the organization grows; the more users there are, the more likely a user stores passwords in clear-text. Even if it is drilled into the users’ heads and they are aware of this security risk, some just seem impervious and have the attitude, “Oh, I am definitely not going to be the one to get hacked”. The MITRE ATT&CK framework addresses this issue and offers the following as a potential mitigation strategy: Audit, “Preemptively search for files containing passwords and take actions to reduce the exposure risk when found.”
As we pondered different approaches to aid with this, an idea popped into my head: how about using an EDR solution? I’m not saying this is a novel idea, as it’s just correlating and alerting on another data source, but typically EDRs are deployed with the intent to actively detect and alert on active malicious actions or actors. So this idea to use EDR data to be more proactive and assist in identifying, and ultimately mitigating, the risk of stored passwords was transformational for us. With access to Microsoft ATP, we went to work to test the feasibility of this. Microsoft ATP gathers numerous metrics from systems that involve a process’s accessed files, etc, so we gathered we could query for any files across an organization that contained “password” in the filename. Using the Advanced Threat Hunting feature in Microsoft ATP, as the data is collected in near-real time, we could perform a query to display these files that potentially would contain clear-text credentials. We knew we wouldn’t find all files with this vulnerability, and we are also aware that this may lead to some false positives, but this technique could still identify much of the obvious low hanging fruit. So after tinkering and testing, we developed the following Advanced Threat Hunting query as a Proof-of-Concept:
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ (“notepad.exe”)
| where ProcessCommandLine contains “password”
| top 100 by TimestampThis query is just the beginning. This could be turned into an alert, or maybe even worked into an option to email the user that they were possibly improperly storing passwords and provide them a user-training exercise on better options to store such passwords. Or potentially extend this to any time explorer touches files that contain “password” in their filename (for copy, move, delete operations on files). Maybe tune the query to only alert on specific file types (such as .txt, .doc, .xls, etc.)? Again, your mileage with this may vary, but the application is only limited by the imagination and power of the query feature.
We can’t say for sure if this is an original new idea, as I am sure there is bound to be a SOC out there that has put something like this to use before, but to us, the potential of using EDR data to be proactive about defense and stopping vulnerabilities before they happen seems pretty sweet! Detect and stop some of that low hanging fruit that may riddle your organization! We recommend to the security practitioners out there, especially the Blue Teamers, if you have or haven’t thought about using an EDR in this manner, what other things could you come up with which would be proactive and detect the creation of other vulnerabilities in your organization? Drop us a line on Twitter @MaverisLabs!
Website: www.maveris.com
Email: info@maveris.com
Maveris exists to help your organization reach its fullest potential by providing thought leadership in IT and cyber so you can connect fearlessly. To learn more visit us at: www.maveris.com
