An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.

How does a Use of Known Operating System Credentials attack work?

It typically unfolds over 5 phases. It begins with: [Acquire known operating system credentials] The adversary must obtain known operating system credentials in order to access the target system, application, or service within the domain.

How do you prevent CAPEC-653?

Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the network.

What weaknesses does CAPEC-653 target?

CAPEC-653 exploits 7 CWE weaknesses, including CWE-262 (Not Using Password Aging), CWE-263 (Password Aging with Long Expiration), CWE-307 (Improper Restriction of Excessive Authentication Attempts), CWE-308 (Use of Single-factor Authentication).

How severe is CAPEC-653?

MITRE rates CAPEC-653 as High severity with high likelihood of attack.

CAPEC-653: Use of Known Operating System Credentials

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Acquire known operating system credentials] The adversary must obtain known operating system credentials in order to access the target system, application, or service within the domain.
- An adversary purchases breached operating system username/password combinations or leaked hashed passwords from the dark web.
- An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.
- An adversary conducts a sniffing attack to steal operating system credentials as they are transmitted.
- An adversary gains access to a system/files and exfiltrates password hashes.
- An adversary examines outward-facing configuration and properties files to discover hardcoded credentials.
Step 2
Experiment
[Attempt authentication] Try each operating system credential against various systems, applications, and services within the domain until the target grants access.
- Manually or automatically enter each credential through the target's interface.
Step 3
Exploit
[Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the network
Step 4
Exploit
[Spoofing] Malicious data can be injected into the target system or into other systems on the network. The adversary can also pose as a legitimate user to perform social engineering attacks.
Step 5
Exploit
[Data Exfiltration] The adversary can obtain sensitive data contained within system files or application configuration.

How the attack works

CAPEC-653: Use of Known Operating System Credentials

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

How to detect it

Examples

Frequently asked questions

What is CAPEC-653?

How does a Use of Known Operating System Credentials attack work?

How do you prevent CAPEC-653?

What weaknesses does CAPEC-653 target?

How severe is CAPEC-653?

References

Defend against CAPEC-653

How the attack works

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

How to detect it

Examples

Related weaknesses

Related attack patterns

Parent

Child

Can precede

Related

Frequently asked questions

What is CAPEC-653?

How does a Use of Known Operating System Credentials attack work?

How do you prevent CAPEC-653?

What weaknesses does CAPEC-653 target?

How severe is CAPEC-653?

References

Defend against CAPEC-653