Description
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
It is possible to extract passwords from backups or saved virtual machines through OS Credential Dumping.(Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.(Citation: SRD GPP)
In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)
Platforms
Mitigations (4)
User TrainingM1017
Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.
AuditM1047
Preemptively search for files containing passwords and take actions to reduce the exposure risk when found.
Restrict File and Directory PermissionsM1022
Restrict file shares to specific directories with access only to necessary users.
Password PoliciesM1027
Establish an organizational policy that prohibits password storage in files.
Threat Groups (14)
| ID | Group | Context |
|---|---|---|
| G0064 | APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used a variety of publicly available tools like [LaZagne](https://attack.mitre.org/software/S0349) ... |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has accessed files to gain valid credentials.(Citation: CISA AA20-259A Iran-Based Actor September ... |
| G0092 | TA505 | [TA505](https://attack.mitre.org/groups/G0092) has used malware to gather credentials from FTP clients and Outlook.(Citation: Proofpoint TA505 Sep 201... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has obtained administrative credentials by browsing through local files on a compromised machine.(Citat... |
| G0119 | Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has searched files to obtain and exfiltrate credentials.(Citation: Mandiant_UNC2165) |
| G0022 | APT3 | [APT3](https://attack.mitre.org/groups/G0022) has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.... |
| G0077 | Leafminer | [Leafminer](https://attack.mitre.org/groups/G0077) used several tools for retrieving login and password information, including LaZagne.(Citation: Syma... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used tools that are capable of obtaining credentials from saved mail.(Citation: Netscout Stolen P... |
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) used [LaZagne](https://attack.mitre.org/software/S0349) to obtain passwords in files.(Citation: group... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used credential dumping tools such as [LaZagne](https://attack.mitre.org/software/S0349) to steal ... |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) has dumped configuration settings in accessed IP cameras including plaintext credentials.(Citation... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has searched for unsecured AWS credentials and Docker API credentials.(Citation: Cado Security TeamTN... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has run a tool that steals passwords saved in victim email.(Citation: Symantec MuddyWater Dec 2018... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) Spider searches for credential storage documentation on a compromised host.(Citation: CISA S... |
Associated Software (20)
| ID | Name | Type | Context |
|---|---|---|---|
| S0117 | XTunnel | Malware | [XTunnel](https://attack.mitre.org/software/S0117) is capable of accessing locally stored passwords on victims.(Citation: Invincea XTunnel) |
| S0192 | Pupy | Tool | [Pupy](https://attack.mitre.org/software/S0192) can use Lazagne for harvesting credentials.(Citation: GitHub Pupy) |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) has been observed leveraging a module that retrieves passwords stored on a system for the current lo... |
| S0378 | PoshC2 | Tool | [PoshC2](https://attack.mitre.org/software/S0378) contains modules for searching for passwords in local and remote files.(Citation: GitHub PoshC2) |
| S0226 | Smoke Loader | Malware | [Smoke Loader](https://attack.mitre.org/software/S0226) searches for files named logins.json to parse for credentials.(Citation: Talos Smoke Loader Ju... |
| S0331 | Agent Tesla | Malware | [Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to extract credentials from configuration or support files.(Citation: SentinelL... |
| S0349 | LaZagne | Tool | [LaZagne](https://attack.mitre.org/software/S0349) can obtain credentials from chats, databases, mail, and WiFi.(Citation: GitHub LaZagne Dec 2018) |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) can use various modules to search for files containing passwords.(Citation: Github PowerShell Empire... |
| S9008 | Shai-Hulud | Malware | [Shai-Hulud](https://attack.mitre.org/software/S9008) has gathered sensitive data stored in the Node.JS file `process.env` to include credentials and ... |
| S0344 | Azorult | Malware | [Azorult](https://attack.mitre.org/software/S0344) can steal credentials in files belonging to common software such as Skype, Telegram, and Steam.(Cit... |
| S0583 | Pysa | Malware | [Pysa](https://attack.mitre.org/software/S0583) has extracted credentials from the password database before encrypting the files.(Citation: CERT-FR PY... |
| S0601 | Hildegard | Malware | [Hildegard](https://attack.mitre.org/software/S0601) has searched for SSH keys, Docker credentials, and Kubernetes service tokens.(Citation: Unit 42 H... |
| S0266 | TrickBot | Malware | [TrickBot](https://attack.mitre.org/software/S0266) can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH... |
| S0677 | AADInternals | Tool | [AADInternals](https://attack.mitre.org/software/S0677) can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local... |
| S0262 | QuasarRAT | Tool | [QuasarRAT](https://attack.mitre.org/software/S0262) can obtain passwords from FTP clients.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork J... |
| S0067 | pngdowner | Malware | If an initial connectivity check fails, [pngdowner](https://attack.mitre.org/software/S0067) attempts to extract proxy details and credentials from Wi... |
| S0089 | BlackEnergy | Malware | [BlackEnergy](https://attack.mitre.org/software/S0089) has used a plug-in to gather credentials stored in files on the host by various software progra... |
| S0283 | jRAT | Malware | [jRAT](https://attack.mitre.org/software/S0283) can capture passwords from common chat applications such as MSN Messenger, AOL, Instant Messenger, and... |
| S1183 | StrelaStealer | Malware | [StrelaStealer](https://attack.mitre.org/software/S1183) searches for and if found collects the contents of files such as `logins.json` and `key4.db` ... |
| S9009 | TruffleHog | Tool | [TruffleHog](https://attack.mitre.org/software/S9009) has obtained credentials stored in config files and credential files in victim environments.(Cit... |
References
- CG. (2014, May 20). Mimikatz Against Virtual Machine Memory Part 1. Retrieved November 12, 2014.
- Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
- Chen, J.. (2020, January 29). Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021.
- Maddalena, C.. (2018, September 12). Head in the Clouds. Retrieved October 4, 2019.
- Security Research and Defense. (2014, May 13). MS14-025: An Update for Group Policy Preferences. Retrieved January 28, 2015.
Frequently Asked Questions
What is T1552.001 (Credentials In Files)?
T1552.001 is a MITRE ATT&CK technique named 'Credentials In Files'. It belongs to the Credential Access tactic(s). Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credenti...
How can T1552.001 be detected?
Detection of T1552.001 (Credentials In Files) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1552.001?
There are 4 documented mitigations for T1552.001. Key mitigations include: User Training, Audit, Restrict File and Directory Permissions, Password Policies.
Which threat groups use T1552.001?
Known threat groups using T1552.001 include: APT33, Fox Kitten, TA505, FIN13, Indrik Spider, APT3, Leafminer, Kimsuky.