EXPLORE
Sign In
← Back to Explore
T1552

Unsecured Credentials

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/...

WindowsSaaSIaaSLinuxmacOSContainersNetwork DevicesOffice SuiteIdentity Provider
95
Detections
5
Sources
1
Threat Actors

BY SOURCE

71elastic13sigma8splunk_escu2crowdstrike_cql1kql

PROCEDURES (65)

Azure5 detections

Auto-extracted: 5 detections for azure

Anomal4 detections

Auto-extracted: 4 detections for anomal

Aws4 detections

Auto-extracted: 4 detections for aws

Credential3 detections

Auto-extracted: 3 detections for credential

Lateral2 detections

Auto-extracted: 2 detections for lateral

Container2 detections

Auto-extracted: 2 detections for container

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Azure2 detections

Auto-extracted: 2 detections for azure

Registry2 detections

Auto-extracted: 2 detections for registry

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Container2 detections

Auto-extracted: 2 detections for container

Persist2 detections

Auto-extracted: 2 detections for persist

Event Log2 detections

Auto-extracted: 2 detections for event log

Container2 detections

Auto-extracted: 2 detections for container

Oauth2 detections

Auto-extracted: 2 detections for oauth

Dump2 detections

Auto-extracted: 2 detections for dump

Api2 detections

Auto-extracted: 2 detections for api

C22 detections

Auto-extracted: 2 detections for c2

Container2 detections

Auto-extracted: 2 detections for container

Azure1 detections

Auto-extracted: 1 detections for azure

Credential1 detections

Auto-extracted: 1 detections for credential

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Persist1 detections

Auto-extracted: 1 detections for persist

Download1 detections

Auto-extracted: 1 detections for download

Lateral1 detections

Auto-extracted: 1 detections for lateral

Unusual1 detections

Auto-extracted: 1 detections for unusual

Http1 detections

Auto-extracted: 1 detections for http

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Cloud1 detections

Auto-extracted: 1 detections for cloud

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Inject1 detections

Auto-extracted: 1 detections for inject

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Cloud1 detections

Auto-extracted: 1 detections for cloud

Lateral1 detections

Auto-extracted: 1 detections for lateral

Cloud1 detections

Auto-extracted: 1 detections for cloud

Cloud1 detections

Auto-extracted: 1 detections for cloud

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Http1 detections

Auto-extracted: 1 detections for http

Dump1 detections

Auto-extracted: 1 detections for dump

Http1 detections

Auto-extracted: 1 detections for http

Process Access1 detections

Auto-extracted: 1 detections for process access

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Dump1 detections

Auto-extracted: 1 detections for dump

Aws1 detections

Auto-extracted: 1 detections for aws

Download1 detections

Auto-extracted: 1 detections for download

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Credential1 detections

Auto-extracted: 1 detections for credential

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Dump1 detections

Auto-extracted: 1 detections for dump

Credential1 detections

Auto-extracted: 1 detections for credential

Inject1 detections

Auto-extracted: 1 detections for inject

Http1 detections

Auto-extracted: 1 detections for http

Inject1 detections

Auto-extracted: 1 detections for inject

Powershell1 detections

Auto-extracted: 1 detections for powershell

Event Log1 detections

Auto-extracted: 1 detections for event log

C21 detections

Auto-extracted: 1 detections for c2

C21 detections

Auto-extracted: 1 detections for c2

Token1 detections

Auto-extracted: 1 detections for token

Privilege1 detections

Auto-extracted: 1 detections for privilege

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

THREAT ACTORS (1)

Volt Typhoon

DETECTIONS (95)

Access to a Sensitive LDAP Attribute
elasticmedium
Added Owner To Application
sigmamedium
Application AppID Uri Configuration Changes
sigmahigh
Applications with plaintext passwords
crowdstrike_cql
Applications with plaintext passwords
crowdstrike_cql
AWS Credentials Searched For Inside A Container
elastichigh
AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization
elasticmedium
AWS EC2 Instance Console Login via Assumed Role
elastichigh
AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role
elasticmedium
AWS EC2 User Data Retrieval for EC2 Instance
elasticmedium
AWS IAM CompromisedKeyQuarantine Policy Attached to User
elastichigh
AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts
elastichigh
AWS IAM Long-Term Access Key First Seen from Source IP
elasticmedium
AWS S3 Credential File Retrieved from Bucket
elasticmedium
Azure Arc Cluster Credential Access by Identity from Unusual Source
elasticmedium
Azure Event Hub Authorization Rule Created or Updated
elasticmedium
Azure Key Vault Modified or Deleted
sigmamedium
Azure Keyvault Key Modified or Deleted
sigmamedium
Azure Keyvault Secrets Modified or Deleted
sigmamedium
Azure Kubernetes Admission Controller
sigmamedium
Azure Service Principal Sign-In Followed by Arc Cluster Credential Access
elasticmedium
Azure Storage Account Key Regenerated
elasticlow
Cisco SNMP Community String Configuration Changes
splunk_escu
Cloud Credential Search Detected via Defend for Containers
elasticmedium
Cloud Instance Metadata Credential Path HTTP Request
elasticmedium
Command Shell Activity Started via RunDLL32
elasticlow
Commandlines with cleartext passwords
kql
Creation or Modification of Domain Backup DPAPI private key
elastichigh
Credential Access via TruffleHog Execution
elasticmedium
Detect AWS Console Login by New User
splunk_escu
EventLog Query Requests By Builtin Utilities
sigmamedium
First Time Python Accessed Sensitive Credential Files
elasticmedium
FortiGate Configuration File Downloaded
elasticmedium
GenAI Process Accessing Sensitive Files
elastichigh
GitHub Authentication Token Access via Node.js
elasticmedium
Google Cloud Kubernetes Admission Controller
sigmamedium
Google Workspace Drive Encryption Key(s) Accessed from Anonymous User
elastichigh
Kubeconfig File Creation or Modification
elasticmedium
Kubeconfig File Discovery
elasticlow
Kubectl Secrets Enumeration Across All Namespaces
elastichigh
Kubelet Certificate File Access Detected via Defend for Containers
elasticlow
Kubernetes Admission Controller Modification
sigmamedium
Kubernetes and Cloud Credential Path Access via Process Arguments
elastichigh
Kubernetes Direct API Request via Curl or Wget
elasticmedium
Kubernetes Pod Exec Cloud Instance Metadata Access
elastichigh
Kubernetes Pod Exec Sensitive File or Credential Path Access
elastichigh
Kubernetes Rapid Secret GET Activity Against Multiple Objects
elastichigh
Kubernetes Secret Access via Unusual User Agent
elasticlow
Kubernetes Secret get or list from Node or Pod Service Account
elasticmedium
Kubernetes Secret get or list with Suspicious User Agent
elastichigh
Kubernetes Secret or ConfigMap Access via Azure Arc Proxy
elasticmedium
Kubernetes Secrets List Across Cluster or Sensitive Namespaces
elastichigh
Kubernetes Service Account Secret Access
elasticmedium
Kubernetes Service Account Token Created via TokenRequest API
elasticmedium
Microsoft IIS Connection Strings Decryption
elastichigh
Microsoft IIS Service Account Password Dumped
elasticlow
Multi-Cloud CLI Token and Credential Access Commands
elastichigh
O365 Email Suspicious Search Behavior
splunk_escu
O365 SharePoint Suspicious Search Behavior
splunk_escu
Potential Credential Discovery via Recursive Grep
elastichigh
Potential Impersonation Attempt via Kubectl
elasticmedium
Potential Kerberos Attack via Bifrost
elastichigh
Potential Okta Password in AlternateID Field
sigmahigh
Potential PowerShell HackTool Script by Function Names
elasticmedium
Potential Privilege Escalation via Linux DAC permissions
elasticlow
Potential Secret Scanning via Gitleaks
elasticmedium
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
sigmamedium
Private Key Searching Activity
elastichigh
Script Interpreter Spawning Credential Scanner - Linux
sigmahigh
Script Interpreter Spawning Credential Scanner - Windows
sigmahigh
Security File Access via Common Utilities
elasticlow
Sensitive File Compression Detected via Defend for Containers
elasticmedium
Sensitive Files Compression
elasticmedium
Sensitive Files Compression Inside A Container
elastichigh
Sensitive Identity File Open by Suspicious Process via Auditd
elastichigh
Sensitive Keys Or Passwords Search Detected via Defend for Containers
elasticmedium
Sensitive Keys Or Passwords Searched For Inside A Container
elasticmedium
Service Account Token or Certificate Access Followed by Kubernetes API Request
elasticmedium
Service Account Token or Certificate Read Detected via Defend for Containers
elasticmedium
Suspicious CertUtil Commands
elasticmedium
Suspicious Instance Metadata Service (IMDS) API Command Line Execution
elasticmedium
Suspicious Instance Metadata Service (IMDS) API Request
elasticmedium
Unusual Linux Process Calling the Metadata Service
elasticlow
Unusual Linux User Calling the Metadata Service
elasticlow
Unusual Web Config File Access
elastichigh
Unusual Windows Process Calling the Metadata Service
elasticlow
Unusual Windows User Calling the Metadata Service
elasticlow
Web Server Exploitation Detected via Defend for Containers
elastichigh
Web Server Local File Inclusion Activity
elasticlow
Web Server Potential Command Injection Request
elasticlow
Windows LAPS Password Gathering Via PowerShell Script
splunk_escu
Windows Post Exploitation Risk Behavior
splunk_escu
Windows SharePoint Spinstall0 GET Request
splunk_escu
Windows Unsecured Outlook Credentials Access In Registry
splunk_escu
Wireless Credential Dumping using Netsh Command
elastichigh