EXPLORE
← Back to Explore
T1552

Unsecured Credentials

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/...

WindowsSaaSIaaSLinuxmacOSContainersNetwork DevicesOffice SuiteIdentity Provider
104
Detections
5
Sources
1
Threat Actors

BY SOURCE

80elastic13sigma8splunk_escu2crowdstrike_cql1kql

PROCEDURES (66)

Azure5 detections

Auto-extracted: 5 detections for azure

Aws4 detections

Auto-extracted: 4 detections for aws

Anomal4 detections

Auto-extracted: 4 detections for anomal

Credential3 detections

Auto-extracted: 3 detections for credential

Registry3 detections

Auto-extracted: 3 detections for registry

Container2 detections

Auto-extracted: 2 detections for container

Http2 detections

Auto-extracted: 2 detections for http

C22 detections

Auto-extracted: 2 detections for c2

Container2 detections

Auto-extracted: 2 detections for container

Container2 detections

Auto-extracted: 2 detections for container

Api2 detections

Auto-extracted: 2 detections for api

Lateral2 detections

Auto-extracted: 2 detections for lateral

Dump2 detections

Auto-extracted: 2 detections for dump

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Persist2 detections

Auto-extracted: 2 detections for persist

Persist2 detections

Auto-extracted: 2 detections for persist

Inject2 detections

Auto-extracted: 2 detections for inject

Container2 detections

Auto-extracted: 2 detections for container

Oauth2 detections

Auto-extracted: 2 detections for oauth

Event Log2 detections

Auto-extracted: 2 detections for event log

Azure1 detections

Auto-extracted: 1 detections for azure

Download1 detections

Auto-extracted: 1 detections for download

Remote1 detections

Auto-extracted: 1 detections for remote

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Download1 detections

Auto-extracted: 1 detections for download

Lateral1 detections

Auto-extracted: 1 detections for lateral

Persist1 detections

Auto-extracted: 1 detections for persist

Container1 detections

Auto-extracted: 1 detections for container

Dump1 detections

Auto-extracted: 1 detections for dump

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Remote1 detections

Auto-extracted: 1 detections for remote

Azure1 detections

Auto-extracted: 1 detections for azure

Aws1 detections

Auto-extracted: 1 detections for aws

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Credential1 detections

Auto-extracted: 1 detections for credential

Cloud1 detections

Auto-extracted: 1 detections for cloud

Lateral1 detections

Auto-extracted: 1 detections for lateral

Cloud1 detections

Auto-extracted: 1 detections for cloud

Privilege1 detections

Auto-extracted: 1 detections for privilege

Unusual1 detections

Auto-extracted: 1 detections for unusual

Remote1 detections

Auto-extracted: 1 detections for remote

Dump1 detections

Auto-extracted: 1 detections for dump

Process Access1 detections

Auto-extracted: 1 detections for process access

Inject1 detections

Auto-extracted: 1 detections for inject

Credential1 detections

Auto-extracted: 1 detections for credential

Cloud1 detections

Auto-extracted: 1 detections for cloud

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Azure1 detections

Auto-extracted: 1 detections for azure

Credential1 detections

Auto-extracted: 1 detections for credential

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Persist1 detections

Auto-extracted: 1 detections for persist

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Inject1 detections

Auto-extracted: 1 detections for inject

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Cloud1 detections

Auto-extracted: 1 detections for cloud

Http1 detections

Auto-extracted: 1 detections for http

Http1 detections

Auto-extracted: 1 detections for http

C21 detections

Auto-extracted: 1 detections for c2

C21 detections

Auto-extracted: 1 detections for c2

Token1 detections

Auto-extracted: 1 detections for token

Http1 detections

Auto-extracted: 1 detections for http

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

THREAT ACTORS (1)

DETECTIONS (104)

Access to a Sensitive LDAP Attribute
elasticmedium
Added Owner To Application
sigmamedium
Application AppID Uri Configuration Changes
sigmahigh
Applications with plaintext passwords
crowdstrike_cql
Applications with plaintext passwords
crowdstrike_cql
AWS Bedrock AgentCore Runtime Prompt Containing Credentials
elastichigh
AWS Bedrock AgentCore Runtime Prompt Targeting Credentials or Instance Metadata
elastichigh
AWS Bedrock Model Prompt or Completion Containing Credentials
elasticmedium
AWS Credentials Searched For Inside A Container
elastichigh
AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization
elastichigh
AWS EC2 Instance Console Login via Assumed Role
elastichigh
AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role
elasticmedium
AWS EC2 User Data Retrieval for EC2 Instance
elasticmedium
AWS IAM CompromisedKeyQuarantine Policy Attached to User
elastichigh
AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts
elastichigh
AWS IAM Long-Term Access Key First Seen from Source IP
elasticmedium
AWS S3 Credential File Retrieved from Bucket
elasticmedium
Azure Arc Cluster Credential Access by Identity from Unusual Source
elasticmedium
Azure Event Hub Authorization Rule Created or Updated
elasticmedium
Azure Key Vault Modified or Deleted
sigmamedium
Azure Keyvault Key Modified or Deleted
sigmamedium
Azure Keyvault Secrets Modified or Deleted
sigmamedium
Azure Kubernetes Admission Controller
sigmamedium
Azure Service Principal Sign-In Followed by Arc Cluster Credential Access
elasticmedium
Azure Storage Account Key Regenerated
elasticlow
Azure VM Boot Diagnostics Retrieved
elasticmedium
Cisco SNMP Community String Configuration Changes
splunk_escu
Cloud Credential Search Detected via Defend for Containers
elasticmedium
Cloud Instance Metadata Credential Path HTTP Request
elasticmedium
Command Shell Activity Started via RunDLL32
elasticlow
Commandlines with cleartext passwords
kql
Creation or Modification of Domain Backup DPAPI private key
elastichigh
Credential Access via TruffleHog Execution
elasticmedium
Detect AWS Console Login by New User
splunk_escu
EventLog Query Requests By Builtin Utilities
sigmamedium
First Time Python Accessed Sensitive Credential Files
elasticmedium
FortiGate Configuration File Downloaded
elasticmedium
GenAI Process Accessing Sensitive Files
elastichigh
GitHub Authentication Token Access via Node.js
elasticmedium
GKE Rapid Secret GET Activity Against Multiple Objects
elastichigh
GKE Secret get or list with Suspicious User Agent
elastichigh
GKE Secrets List from Unusual Source AS Organization
elastichigh
Google Cloud Kubernetes Admission Controller
sigmamedium
Google Workspace Drive Encryption Key(s) Accessed from Anonymous User
elastichigh
Kubeconfig File Creation or Modification
elasticmedium
Kubeconfig File Discovery
elasticlow
Kubectl Secrets Enumeration Across All Namespaces
elastichigh
Kubelet Certificate File Access Detected via Defend for Containers
elasticlow
Kubernetes Admission Controller Modification
sigmamedium
Kubernetes and Cloud Credential Path Access via Process Arguments
elastichigh
Kubernetes Direct API Request via Curl or Wget
elasticmedium
Kubernetes Pod Exec Cloud Instance Metadata Access
elastichigh
Kubernetes Pod Exec Sensitive File or Credential Path Access
elastichigh
Kubernetes Rapid Secret GET Activity Against Multiple Objects
elastichigh
Kubernetes Secret Access via Unusual User Agent
elasticlow
Kubernetes Secret get or list from Node or Pod Service Account
elasticmedium
Kubernetes Secret get or list with Suspicious User Agent
elastichigh
Kubernetes Secret or ConfigMap Access via Azure Arc Proxy
elasticmedium
Kubernetes Secrets List Across Cluster or Sensitive Namespaces
elastichigh
Kubernetes Service Account Secret Access
elasticmedium
Kubernetes Service Account Token Created via TokenRequest API
elasticmedium
Microsoft IIS Connection Strings Decryption
elastichigh
Microsoft IIS Service Account Password Dumped
elasticlow
Multi-Cloud CLI Token and Credential Access Commands
elastichigh
O365 Email Suspicious Search Behavior
splunk_escu
O365 SharePoint Suspicious Search Behavior
splunk_escu
Potential Credential Discovery via Recursive Grep
elastichigh
Potential Impersonation Attempt via Kubectl
elasticmedium
Potential Kerberos Attack via Bifrost
elastichigh
Potential Okta Password in AlternateID Field
sigmahigh
Potential PowerShell HackTool Script by Function Names
elasticmedium
Potential Privilege Escalation via Linux DAC permissions
elasticlow
Potential Secret Scanning via Gitleaks
elasticmedium
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
sigmamedium
Private Key Searching Activity
elastichigh
Protected Storage Service Access via SMB
elastichigh
Script Interpreter Spawning Credential Scanner - Linux
sigmahigh
Script Interpreter Spawning Credential Scanner - Windows
sigmahigh
Security File Access via Common Utilities
elasticlow
Sensitive File Compression Detected via Defend for Containers
elasticmedium
Sensitive Files Compression
elasticmedium
Sensitive Files Compression Inside A Container
elastichigh
Sensitive Identity File Open by Suspicious Process via Auditd
elastichigh
Sensitive Keys Or Passwords Search Detected via Defend for Containers
elasticmedium
Sensitive Keys Or Passwords Searched For Inside A Container
elasticmedium
Service Account Token or Certificate Access Followed by Kubernetes API Request
elasticmedium
Service Account Token or Certificate Read Detected via Defend for Containers
elasticmedium
Suspicious CertUtil Commands
elasticmedium
Suspicious Instance Metadata Service (IMDS) API Command Line Execution
elasticmedium
Suspicious Instance Metadata Service (IMDS) API Request
elasticmedium
Unusual Linux Process Calling the Metadata Service
elasticlow
Unusual Linux User Calling the Metadata Service
elasticlow
Unusual Web Config File Access
elastichigh
Unusual Windows Process Calling the Metadata Service
elasticlow
Unusual Windows User Calling the Metadata Service
elasticlow
Web Server Cloud Metadata SSRF Request
elasticmedium
Web Server Exploitation Detected via Defend for Containers
elastichigh
Web Server Local File Inclusion Activity
elasticlow
Web Server Potential Command Injection Request
elasticlow
Windows LAPS Password Gathering Via PowerShell Script
splunk_escu
Windows Post Exploitation Risk Behavior
splunk_escu
Windows SharePoint Spinstall0 GET Request
splunk_escu
Windows Unsecured Outlook Credentials Access In Registry
splunk_escu
Wireless Credential Dumping using Netsh Command
elastichigh