April 29, 2021

How To Detect Password Lists With Blumira

With an increase in fileless malware’s usage in recent years, there’s a growing need to practice security hygiene with secure storage of business credentials as a key component.

Many pentest and breach reports point to unsecured credentials stored on user systems, network shares, or even in SaaS cloud provider services as enablers for threat actors to complete their objectives and access critical systems or information.

At Blumira, we provide insight to customers when users are engaging in this risky behavior, allowing the organization to take preemptive action and remediate before the credentials can be leaked or used in an intrusion.

Here, we’ll walk through how Blumira alerts on this behavior and how easily a threat actor can take advantage of the opportunity if not remediated.

How Blumira Catches Credential Lists

Here we have a user who needs to use a saved password list to perform their job tasks, so they save the list to their Documents folder. The user thinks this has to be safe — they’ve taken their security training, they know how to avoid phishing emails and they don’t visit sketchy websites.

Screenshot of a password list

Blumira picks up the activity and alerts the security administrator.

Blumira alert for password list

The security administrator informs the user that their activity is hazardous and directs them to an enterprise password management solution. This closes a potential configuration vulnerability, making the environment more secure.

Blumira finding

The Effects of Poor Password Management

Let’s say the user never cleans up the password file and the security administrator is unaware of its existence. Our user practices all practical security measures available to them, but their coworker sitting across the hall does not and falls for a phishing email — allowing a threat actor to access the corporate network.

The threat actor scans across the local network, and finds our unsuspecting user’s machine.

Threat actor scanning a network

Then, they look for users who happen to be storing credentials in an unsafe manner.

Network scan finds unsafe password storage

Bingo — they now have a target to collect, and the content may allow them further access to sensitive information or systems.

Threat actor accessing other systems

Password Management Best Practices

So what can we do to close the loop on preventing this? The following recommendations can help limit this attack vector:

Use a password manager or vault solution to store business-critical credentials.
Disallow communication between workstations, namely SMB traffic from workstation to workstation. Your firewall policy should restrict most communication between workstations by default.
Use a SIEM like Blumira’s to monitor and alert when users may fall out of compliance and encourage them to use a more secure solution.

Blumira can help find instances of poor security behavior from your users. To get insight on risky behavior occurring within your company, try our free trial.

Tag(s): Product Updates , Blog

Brian Laskowski

Brian has 5 years of experience in IT, with prior work including linux systems administration to most recently leading the threat intelligence program at the State of Michigan security operations center. Other areas of focus have included, incident response, threat hunting, memory analysis, adversary emulation, and...