Skip to content

Latest commit

 

History

History
24 lines (18 loc) · 1.01 KB

Credentials_in_files.md

File metadata and controls

24 lines (18 loc) · 1.01 KB

Credentials in Files

MITRE ATT&CK technique T1081

Tactic: Credential Access

Platform: Windows, Linux, Mac

Deception Techniques

  • Create documents and files containing fake credentials (i.e. honey accounts)
    • Configuration, backup and connection files such as RDP, VPN, and AWS credentials file
    • Fake credentials in browser password manager
    • bash_history entries containing fake credentials, e.g.:
mysql -h 192.168.1.66 -P 3306 -u dbadmin -p12345 -e "show databases"
ftp ftp://backup:[email protected]:2121
sshpass -p '123456' ssh -p 2222 [email protected]
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Useful Tools

  • honeybits - A tool designed to enhance the effectiveness of honeypots by spreading breadcrumbs & honeytokens across the system. Currently supports creating honeyfiles and several breadcrumbs including fake bash_history entries.