Valid Accounts

From attackics
Jump to navigation Jump to search
Valid Accounts
ID T859
Tactic Persistence, Lateral Movement
Data Sources Authentication logs, Process monitoring
Asset Control Server, Data Historian, Engineering Workstation, Field Controller/RTU/PLC/IED, Human-Machine Interface, Input/Output Server, Safety Instrumented System/Protection Relay


Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way.

Adversaries may also create accounts, sometimes using predefined account names and passwords, to provide a means of backup access for persistence.1

The overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) and possibly between the enterprise and operational technology environments. Adversaries may be able to leverage valid credentials from one system to gain access to another system.

In the 2015 attack on the Ukranian power grid, the adversaries used valid credentials to interact directly with the client application of the distribution management system (DMS) server via a VPN and native remote access services to access employee workstations hosting HMI applications.2 The adversaries caused outages at three different energy companies, causing loss of power to over 225,000 customers over various areas.2

Procedure Examples

  • ALLANITE utilized credentials collected through phishing and watering hole attacks.3
  • Dragonfly 2.0 used credentials collected through spear phishing and watering hole attacks.4
  • Dragonfly leveraged compromised user credentials to access the targets networks and download tools from a remote server.5
  • HEXANE has used valid IT accounts to extend their spearphishing campaign within an organization.6
  • OilRig utilized stolen credentials to gain access to victim machines.7
  • Sandworm used valid accounts to laterally move through VPN connections and dual-homed systems.89
  • XENOTIME used valid credentials when laterally moving through RDP jump boxes into the ICS environment.10
  • BlackEnergy utilizes valid user and administrator credentials, in addition to creating new administrator accounts to maintain presence.1


  • Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.11
  • Privilege restriction should extend to hardware, firmware, software, documentation, and settings modifications.11
  • Authenticate wireless users’ access with a secure IEEE 802.1x authentication protocol, that authenticates users via user certificates or a Remote Authentication Dial In User Service (RADIUS) server.11
  • In general, console user actions should be traceable, whether it may manually (e.g. control room sign in) or automatic (e.g. login at the application and/or OS layer).11 Protect and restrict access to the resulting logs.
  • Special care should be taken to ensure passwords used with encrypted, as opposed to non-encrypted protocols are not the same. Password lockout policies can be enforced, but take care to balance this with operational needs, that might result in a few failed login attempts in stressful situations.11
  • Implementing Challenge/Response authentication eliminates the risk of discovery or replay that traditional password exchange has.11
  • Physical token authentication can also be considered. It is also easier to notice if these have gotten lost or stolen, unlike traditional passwords. Smart cards another option to consider, and provide additional functionality over token authentication. Biometric authentication may also be good supplement to software-only password solutions.11
  • Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.11
  • Antivirus and malware detection should be employed to assist with detecting and preventing malicious code from being run, in the event a Valid Account is compromised.11
  • Network monitoring and intrusion detection systems can be leveraged to observe activity and may help identify suspicious account activity and movement at unexpected times.11