Open Hunting - Threat Library

Openhunting Threat Library

Network Password Recovery

(Type: Credential stealer)

When you connect to a network share on your LAN or to your .NET Passport account, Windows allows you to save your password in order to use it in each time that you connect the remote server. This utility recovers all network passwords stored on your system for the current logged-on user. It can also recover the passwords stored in Credentials file of external drive, as long as you know the last log-on password.

[News Analysis] Trends:

Total Trend: 0

Trend Per Year

Trend Per Month

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

reconnaissance

0/43

resource development

0/45

initial access

0/19

execution

1/36

persistence

2/113

privilege escalation

0/96

defense evasion

1/184

credential access

0/63

discovery

10/44

lateral movement

1/22

collection

0/37

command and control

0/39

exfiltration

0/18

impact

0/26

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1569.002 System Services : Service Execution	T1136.001 Create Account : Local Account T1136.002 Create Account : Domain Account		T1070.005 Indicator Removal : Network Share Connection Removal		T1087.001 Account Discovery : Local Account T1087.002 Account Discovery : Domain Account T1135 Network Share Discovery T1201 Password Policy Discovery T1069.001 Permission Groups Discovery : Local Groups T1069.002 Permission Groups Discovery : Domain Groups T1018 Remote System Discovery T1049 System Network Connections Discovery T1007 System Service Discovery T1124 System Time Discovery	T1021.002 Remote Services : Smb/windows Admin Shares

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

Basic Information (Credit @etda.or.th)

Tool: Network Password Recovery

Names: Network Password Recovery

Description: When you connect to a network share on your LAN or to your .NET Passport account, Windows allows you to save your password in order to use it in each time that you connect the remote server. This utility recovers all network passwords stored on your system for the current logged-on user. It can also recover the passwords stored in Credentials file of external drive, as long as you know the last log-on password.

Category: Tools

Type: Credential stealer

Information: https://www.nirsoft.net/utils/network_password_recovery.html

Last-card-change: 2020-04-20

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1569.002 SYSTEM SERVICES : SERVICE EXECUTION the net start and net stop commands can be used in net to execute or stop windows services.	T1136.001 CREATE ACCOUNT : LOCAL ACCOUNT the net user username \password commands in net can be used to create a local account. T1136.002 CREATE ACCOUNT : DOMAIN ACCOUNT the net user username \password \domain commands in net can be used to create a domain account.		T1070.005 INDICATOR REMOVAL : NETWORK SHARE CONNECTION REMOVAL the net use \system\share /delete command can be used in net to remove an established connection to a network share.		T1087.001 ACCOUNT DISCOVERY : LOCAL ACCOUNT commands under net user can be used in net to gather information about and manipulate user accounts. T1087.002 ACCOUNT DISCOVERY : DOMAIN ACCOUNT net commands used with the /domain flag can be used to gather information about and manipulate user accounts on the current domain. T1135 NETWORK SHARE DISCOVERY the net view \remotesystem and net share commands in net can be used to find shared drives and directories on remote and local systems respectively. T1201 PASSWORD POLICY DISCOVERY the net accounts and net accounts /domain commands with net can be used to obtain password policy information. T1069.001 PERMISSION GROUPS DISCOVERY : LOCAL GROUPS commands such as net group and net localgroup can be used in net to gather information about and manipulate groups. T1069.002 PERMISSION GROUPS DISCOVERY : DOMAIN GROUPS commands such as net group /domain can be used in net to gather information about and manipulate groups. T1018 REMOTE SYSTEM DISCOVERY commands such as net view can be used in net to gather information about available remote systems. T1049 SYSTEM NETWORK CONNECTIONS DISCOVERY commands such as net use and net session can be used in net to gather information about network connections from a particular host. T1007 SYSTEM SERVICE DISCOVERY the net start command can be used in net to find information about windows services. T1124 SYSTEM TIME DISCOVERY the net time command can be used in net to determine the local or remote system time.	T1021.002 REMOTE SERVICES : SMB/WINDOWS ADMIN SHARES lateral movement can be done with net through net use commands to connect to the on remote systems.