EXPLORE

← Back to Explore

T1552.001

Credentials In Files

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/tech...

ContainersIaaSLinuxmacOSWindows

53

Detections

3

Sources

14

Threat Actors

BY SOURCE

27elastic20sigma6splunk_escu

PROCEDURES (38)

Process Creation Monitoring10 detections

Auto-extracted: 10 detections for process creation monitoring

Azure2 detections

Auto-extracted: 2 detections for azure

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Script Execution Monitoring2 detections

Auto-extracted: 2 detections for script execution monitoring

Container2 detections

Auto-extracted: 2 detections for container

Api2 detections

Auto-extracted: 2 detections for api

Lateral2 detections

Auto-extracted: 2 detections for lateral

Persist1 detections

Auto-extracted: 1 detections for persist

File Monitoring1 detections

Auto-extracted: 1 detections for file monitoring

Process Access1 detections

Auto-extracted: 1 detections for process access

Credential1 detections

Auto-extracted: 1 detections for credential

Api1 detections

Auto-extracted: 1 detections for api

Dump1 detections

Auto-extracted: 1 detections for dump

Token1 detections

Auto-extracted: 1 detections for token

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Credential1 detections

Auto-extracted: 1 detections for credential

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Privilege1 detections

Auto-extracted: 1 detections for privilege

Privilege1 detections

Auto-extracted: 1 detections for privilege

Remote1 detections

Auto-extracted: 1 detections for remote

Container1 detections

Auto-extracted: 1 detections for container

Credential1 detections

Auto-extracted: 1 detections for credential

Container1 detections

Auto-extracted: 1 detections for container

Azure1 detections

Auto-extracted: 1 detections for azure

Persist1 detections

Auto-extracted: 1 detections for persist

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Kernel Monitoring1 detections

Auto-extracted: 1 detections for kernel monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Event Log1 detections

Auto-extracted: 1 detections for event log

Event Log1 detections

Auto-extracted: 1 detections for event log

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Dump1 detections

Auto-extracted: 1 detections for dump

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Cloud1 detections

Auto-extracted: 1 detections for cloud

Cloud1 detections

Auto-extracted: 1 detections for cloud

Credential1 detections

Auto-extracted: 1 detections for credential

Remote1 detections

Auto-extracted: 1 detections for remote

Download1 detections

Auto-extracted: 1 detections for download

THREAT ACTORS (14)

APT3 APT33 Ember Bear FIN13 Fox Kitten Indrik Spider Kimsuky Leafminer MuddyWater OilRig RedCurl Scattered Spider TA505 TeamTNT

DETECTIONS (53)

Automated Collection Command Prompt

AWS Credentials Searched For Inside A Container

Azure Key Vault Modified or Deleted

Azure Keyvault Key Modified or Deleted

Azure Keyvault Secrets Modified or Deleted

Cisco Collect Data

Cloud Credential Search Detected via Defend for Containers

Copy Passwd Or Shadow From TMP Path

Credential Access via TruffleHog Execution

Credentials In Files

Credentials In Files - Linux

Extracting Information with PowerShell

First Time Python Accessed Sensitive Credential Files

FortiGate Configuration File Downloaded

GenAI Process Accessing Sensitive Files

HackTool - Typical HiveNightmare SAM File Export

HackTool - WinPwn Execution

HackTool - WinPwn Execution - ScriptBlock

Hidden Flag Set On File/Directory Via Chflags - MacOS

Insensitive Subfolder Search Via Findstr.EXE

Kubeconfig File Creation or Modification

Kubeconfig File Discovery

Kubernetes Service Account Secret Access

Linux Recon Indicators

MCP Github Suspicious Operation

MCP Sensitive System File Search

Microsoft IIS Connection Strings Decryption

Potential Credential Discovery via Recursive Grep

Potential Kerberos Attack via Bifrost

Potential password in username

Potential PowerShell Console History Access Attempt via History File

Potential Secret Scanning via Gitleaks

Potentially Suspicious JWT Token Search Via CLI

Private Key Searching Activity

PUA - TruffleHog Execution

PUA - TruffleHog Execution - Linux

Remote File Download Via Findstr.EXE

Security File Access via Common Utilities

Sensitive File Compression Detected via Defend for Containers

Sensitive Files Compression

Sensitive Files Compression Inside A Container

Sensitive Keys Or Passwords Search Detected via Defend for Containers

Sensitive Keys Or Passwords Searched For Inside A Container

Service Account Token or Certificate Access Followed by Kubernetes API Request

Service Account Token or Certificate Read Detected via Defend for Containers

Shai-Hulud 2 Exfiltration Artifact Files

Unusual Web Config File Access

Web Server Exploitation Detected via Defend for Containers

Web Server Local File Inclusion Activity

Web Server Potential Command Injection Request

Windows Unusual FileZilla XML Config Access

Windows Unusual Intelliform Storage Registry Access

Wireless Credential Dumping using Netsh Command