EXPLORE
Sign In
← Back to Explore
T1552

Unsecured Credentials

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/...

WindowsSaaSIaaSLinuxmacOSContainersNetwork DevicesOffice SuiteIdentity Provider
76
Detections
4
Sources
1
Threat Actors

BY SOURCE

56elastic12sigma7splunk_escu1crowdstrike_cql

PROCEDURES (58)

Azure5 detections

Auto-extracted: 5 detections for azure

Anomal4 detections

Auto-extracted: 4 detections for anomal

Credential3 detections

Auto-extracted: 3 detections for credential

Lateral2 detections

Auto-extracted: 2 detections for lateral

Container2 detections

Auto-extracted: 2 detections for container

Persist2 detections

Auto-extracted: 2 detections for persist

C22 detections

Auto-extracted: 2 detections for c2

Privilege2 detections

Auto-extracted: 2 detections for privilege

Container2 detections

Auto-extracted: 2 detections for container

Cloud2 detections

Auto-extracted: 2 detections for cloud

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Aws2 detections

Auto-extracted: 2 detections for aws

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Download1 detections

Auto-extracted: 1 detections for download

Cloud1 detections

Auto-extracted: 1 detections for cloud

Token1 detections

Auto-extracted: 1 detections for token

Persist1 detections

Auto-extracted: 1 detections for persist

Download1 detections

Auto-extracted: 1 detections for download

Lateral1 detections

Auto-extracted: 1 detections for lateral

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Unusual1 detections

Auto-extracted: 1 detections for unusual

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Process Access1 detections

Auto-extracted: 1 detections for process access

Dump1 detections

Auto-extracted: 1 detections for dump

Office1 detections

Auto-extracted: 1 detections for office

Office1 detections

Auto-extracted: 1 detections for office

Token1 detections

Auto-extracted: 1 detections for token

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Inject1 detections

Auto-extracted: 1 detections for inject

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Event Log1 detections

Auto-extracted: 1 detections for event log

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Container1 detections

Auto-extracted: 1 detections for container

Credential1 detections

Auto-extracted: 1 detections for credential

Container1 detections

Auto-extracted: 1 detections for container

Lateral1 detections

Auto-extracted: 1 detections for lateral

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Cloud1 detections

Auto-extracted: 1 detections for cloud

Unusual1 detections

Auto-extracted: 1 detections for unusual

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Http1 detections

Auto-extracted: 1 detections for http

Inject1 detections

Auto-extracted: 1 detections for inject

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Event Log1 detections

Auto-extracted: 1 detections for event log

Dump1 detections

Auto-extracted: 1 detections for dump

C21 detections

Auto-extracted: 1 detections for c2

Token1 detections

Auto-extracted: 1 detections for token

Http1 detections

Auto-extracted: 1 detections for http

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Azure1 detections

Auto-extracted: 1 detections for azure

Azure1 detections

Auto-extracted: 1 detections for azure

Persist1 detections

Auto-extracted: 1 detections for persist

Cloud1 detections

Auto-extracted: 1 detections for cloud

Api1 detections

Auto-extracted: 1 detections for api

Credential1 detections

Auto-extracted: 1 detections for credential

Cloud1 detections

Auto-extracted: 1 detections for cloud

THREAT ACTORS (1)

Volt Typhoon

DETECTIONS (76)

Access to a Sensitive LDAP Attribute
elasticmedium
Added Owner To Application
sigmamedium
Application AppID Uri Configuration Changes
sigmahigh
Applications with plaintext passwords
crowdstrike_cql
AWS Credentials Searched For Inside A Container
elastichigh
AWS EC2 Instance Console Login via Assumed Role
elastichigh
AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role
elasticmedium
AWS EC2 User Data Retrieval for EC2 Instance
elasticmedium
AWS IAM CompromisedKeyQuarantine Policy Attached to User
elastichigh
AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts
elastichigh
AWS IAM Long-Term Access Key First Seen from Source IP
elasticmedium
Azure Arc Cluster Credential Access by Identity from Unusual Source
elasticmedium
Azure Event Hub Authorization Rule Created or Updated
elasticmedium
Azure Key Vault Modified or Deleted
sigmamedium
Azure Keyvault Key Modified or Deleted
sigmamedium
Azure Keyvault Secrets Modified or Deleted
sigmamedium
Azure Kubernetes Admission Controller
sigmamedium
Azure Service Principal Sign-In Followed by Arc Cluster Credential Access
elasticmedium
Azure Storage Account Key Regenerated
elasticlow
Cisco SNMP Community String Configuration Changes
splunk_escu
Cloud Credential Search Detected via Defend for Containers
elasticmedium
Command Shell Activity Started via RunDLL32
elasticlow
Creation or Modification of Domain Backup DPAPI private key
elastichigh
Credential Access via TruffleHog Execution
elasticmedium
Detect AWS Console Login by New User
splunk_escu
First Time Python Accessed Sensitive Credential Files
elasticmedium
FortiGate Configuration File Downloaded
elasticmedium
GenAI Process Accessing Sensitive Files
elastichigh
GitHub Authentication Token Access via Node.js
elasticmedium
Google Cloud Kubernetes Admission Controller
sigmamedium
Google Workspace Drive Encryption Key(s) Accessed from Anonymous User
elastichigh
Kubeconfig File Creation or Modification
elasticmedium
Kubeconfig File Discovery
elasticlow
Kubectl Secrets Enumeration Across All Namespaces
elasticmedium
Kubelet Certificate File Access Detected via Defend for Containers
elasticlow
Kubernetes Admission Controller Modification
sigmamedium
Kubernetes Direct API Request via Curl or Wget
elasticmedium
Kubernetes Secret Access via Unusual User Agent
elasticlow
Kubernetes Secret or ConfigMap Access via Azure Arc Proxy
elasticmedium
Kubernetes Service Account Secret Access
elasticmedium
Microsoft IIS Connection Strings Decryption
elastichigh
O365 Email Suspicious Search Behavior
splunk_escu
O365 SharePoint Suspicious Search Behavior
splunk_escu
Potential Credential Discovery via Recursive Grep
elastichigh
Potential Impersonation Attempt via Kubectl
elasticmedium
Potential Kerberos Attack via Bifrost
elastichigh
Potential Okta Password in AlternateID Field
sigmahigh
Potential PowerShell HackTool Script by Function Names
elasticmedium
Potential Privilege Escalation via Linux DAC permissions
elasticlow
Potential Secret Scanning via Gitleaks
elasticmedium
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
sigmamedium
Private Key Searching Activity
elastichigh
Script Interpreter Spawning Credential Scanner - Linux
sigmahigh
Script Interpreter Spawning Credential Scanner - Windows
sigmahigh
Security File Access via Common Utilities
elasticlow
Sensitive File Compression Detected via Defend for Containers
elasticmedium
Sensitive Files Compression
elasticmedium
Sensitive Files Compression Inside A Container
elastichigh
Sensitive Keys Or Passwords Search Detected via Defend for Containers
elasticmedium
Sensitive Keys Or Passwords Searched For Inside A Container
elasticmedium
Service Account Token or Certificate Access Followed by Kubernetes API Request
elasticmedium
Service Account Token or Certificate Read Detected via Defend for Containers
elasticmedium
Suspicious CertUtil Commands
elasticmedium
Unusual Instance Metadata Service (IMDS) API Request
elasticmedium
Unusual Linux Process Calling the Metadata Service
elasticlow
Unusual Linux User Calling the Metadata Service
elasticlow
Unusual Web Config File Access
elastichigh
Unusual Windows Process Calling the Metadata Service
elasticlow
Unusual Windows User Calling the Metadata Service
elasticlow
Web Server Exploitation Detected via Defend for Containers
elastichigh
Web Server Local File Inclusion Activity
elasticlow
Web Server Potential Command Injection Request
elasticlow
Windows Post Exploitation Risk Behavior
splunk_escu
Windows SharePoint Spinstall0 GET Request
splunk_escu
Windows Unsecured Outlook Credentials Access In Registry
splunk_escu
Wireless Credential Dumping using Netsh Command
elastichigh