Huntress uses EDR technology to detect when end users are accessing potentially unsecured credential files. If this feature is enabled within Account Settings, Huntress will send you an incident report. At anytime partners can view all potentially unsecured credential signals from their Process Insights Dashboard, regardless of feature opt-in status
The security of a network is lowered when users store credential files on disk or on a network share instead of using a secure password management solution. An attacker can find these files if they gain access to the host via other means, then use the credentials to laterally move across the network.
This features provides Huntress partners with ongoing visibility into a very common, wildly insecure practice that should be mitigated, and provides the opportunity to introduce end users to more secure approaches for credential management.
How it Works
By analyzing process data on the endpoint, Huntress can determine when end users might be accessing credential files that are being stored in an insecure manner. We say "might" here because we do not collect and analyze file content to actually verify credential data is present. But, based on empirical and anecdotal evidence files named password.xlsx often contain insecure password data.
When this behavior is detected a Potentially Unsecured Credentials signal is generated in the Huntress Portal.
Receiving Incident Reports
You can opt in or out of this feature in Account Settings or add exclusions for specific hosts and organizations that you do not want to receive credential reports.
At this time Huntress does not allow for file-level exclusions. This is a feature we hope to provide in the future.
Low severity incidents will be sent out once a day at 1000 UTC via the Huntress Portal. Each host will not receive more than one incident every 30 days, allowing time to address the insecure credential files with the non-compliant end users.
There are no Assisted Remediations for Potentially Unsecured Credential file incident reports. Partners are able to resolve incidents manually within the Huntress Portal.
Some accounts may have dozens of reports for these findings. The Huntress Portal has been upgraded to support bulk resolution of applicable incident reports. Learn more here!
Viewing Potentially Unsecured Credential Signals
Regardless of if you are opted into receiving incident reports all partners can view signals for Potentially Unsecured Credentials from the Process Insights Dashboard.
Clicking View Signals will take you to a table view with more information and a CSV export feature.