Credentials in Your Environment

A recurrent theme in both real life attacks and penetration tests has been the scanning of local networks for spreadsheets full of data. Many people simply don’t believe such things aren’t worth looking for to real world attackers, but the highly publicised breach on Okta shows just one great counter example: https://techcrunch.com/2022/03/28/lapsus-passwords-okta-breach/

You may also want to consider the existence of tools such as Snaffler.

There are plenty of tools and products designed to alert you after a credential is used. However, here we believe we can provide an earlier warning system.

An Attractive Target

A common tool utilised on engagements is “crackmapexec”, or similar tools which absolutely will find those shares that end users typically don’t use. This is important because you don’t want an end user legitimately stumbling across such a file.

Of course that folder is shared, so network users are going to find \SERVERITSupportPassword List.xlsx.

Generating Event Logs

We’re going to use Windows File Access Auditing to generate an event the moment a user opens that file. This needs to be enabled globally on the server, hopefu