Versions Compared

Old Version 11

changes.mady.by.user David Doret

Saved on

compared with

New Version 12

changes.mady.by.user David Doret

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Credential Harvesting

Dictionary Term

Table of Contents
minLevel2
typeflat

Alternative Forms

  • Harvesting

Definitions

Definition 1

Credential harvesting is a class of cyberattacks characterized by the collection of information related to identities, certificates, and credentials with the objective of leveraging this information to compromise or abuse these identities and/or the information system that these identities grant access to.

Credential harvesting targets indiscriminate identities and certificates within a certain scope in the hope of finding vulnerable ones and eventually exploiting them. In this respect, credential harvesting is distinct from attacks that focus on specific identities or certificates.

Example information types that are collected by credential harvesting comprise any identity attribute or credential attributes, credentials, or session information that may be leveraged for exploitation including:

  • Email address

  • Login ID

  • Password

  • Password hash

  • Private key

  • Session ID, key, or token

  • SSH key

Some information types may be publicly or easily available, e.g. email addresses that may be collected by web scraping. Email harvesting is a specialized and limited form of credential harvesting often used for phishing purposes.

In the context of credential harvesting, the information being collected may be insufficient to succeed in the exploitation and may need to be complemented with other techniques.

  • Credential harvesting for reconnaissance. This cyberattack consists of guessing or collecting identity attributes that are not sufficient to exploit identities but that are often publicly or easily available, e.g. email addresses collected by web scraping or login ids collected by guessing naming conventions. This attack may be used in the reconnaissance phase of a larger attack or for phishing purposes.

  • Credential harvesting for exploitation. This cyberattack consists of guessing or collecting confidential or vulnerable identity attributes or credentials such as passwords or session tokens that may be effectively leveraged to compromise identities in preparation for the exploitation phase of the attack, e.g. scanning configuration files for passwords, reading plaintext cached credentials stored in-memory, collecting session tokens from web cookies. This attack may be used for initial exploitation and/or lateral movement.

Credential harvesting may be designated by the identity attribute or credential that is being harvested, e.g.: email addresses harvesting or password harvesting.

Example classes of threat actor classes who may engage in credential harvesting include:

  • Bots

  • Humans

  • Worms (ex: Nimba)

Example data sources used to harvest credentials:

  • Configuration files

  • Databases

  • Documents (e.g. email addresses, login ids, passwords)

  • Email or application services that allow guessing attributes/dictionary attacks

  • Identity repositories (e.g. LDAP, Windows Active Directory)

  • In-memory data (e.g. login ids, plaintext passwords, session tokens)

  • People (through social engineering)

  • Phishing websites (e.g. login ids, passwords, second authentication factor)

  • Reusable identity attributes or credentials obtained from previous data breaches

  • Web cookies,

  • Web query parameters

  • Web sites, social networks, and forums (e.g. email addresses via web scraping)

  • Windows registry

Information collection may be executed by accessing the information directly when it is publicly or easily available (e.g. email addresses collected by web scraping or configuration files), by hacking (e.g. accessing live memory to read plaintext passwords in cached credentials) to or by guessing it (e.g. email addresses or login ids by . Examples of guessing approaches are the

Example countermeasures that may be effective against credential harvesting include:

  • Access controls / need-to-know

  • Canary identities

  • Disabling credential caching

  • Digital Rights Management (DRM)

  • Encryption

  • Hardware Security Module (HSM)

  • Multi-Factor Authentication (HSM)

  • Password Managers

  • Privileged Access Management (PAM)

  • Security awareness programs

  • System hardening

Sample Sentences

Eve, the hacker, tricked Bob, the user by cleverly forging a spearphishing email. When Bob clicked on that link, he didn’t notice anything unusual when his laptop got compromised. Once in, Eve started to harvest credentials. Luckily for her, she quickly found the cached credential of Alice, an engineer from the IT support team who previously logged in on Bob’s laptop to help with a technical issue.

Conceptual Diagram

Related Terms

  • Password

  • Worm

Quotes

Expand
titleDoe, 2050, p. 1
Include Page
QUOT:Doe, 2050, p. 1
QUOT:Doe, 2050, p. 1

Bibliography

  • Anchor
    test-2021
    test-2021

  • Anchor
    test-2021
    test-2021

  • Anchor
    test-2021
    test-2021

  • Anchor
    test-2021
    test-2021

  • Anchor
    test-2021
    test-2021

  • Anchor
    test-2021
    test-2021

  • Anchor
    test-2021
    test-2021

  • Anchor
    test-2021
    test-2021

See Also

Filter by label (Content by label)
showLabelsfalse
sorttitle
cqllabel = "credential-harvesting"