Description
Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Shell History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).(Citation: Brining MimiKatz to Unix)
Platforms
Sub-Techniques (8)
Credentials In Files
T1552.002Credentials in Registry
T1552.003Shell History
T1552.004Private Keys
T1552.005Cloud Instance Metadata API
T1552.006Group Policy Preferences
T1552.007Container API
T1552.008Chat Messages
Mitigations (11)
Encrypt Sensitive InformationM1041
When possible, store keys on separate cryptographic hardware instead of on the local system.
Update SoftwareM1051
Apply patch KB2962486 which prevents credentials from being stored in GPPs.(Citation: ADSecurity Finding Passwords in SYSVOL)(Citation: MS14-025)
User TrainingM1017
Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.
Active Directory ConfigurationM1015
Remove vulnerable Group Policy Preferences.(Citation: Microsoft MS14-025)
Password PoliciesM1027
Use strong passphrases for private keys to make cracking difficult. Do not store credentials within the Registry. Establish an organizational policy that prohibits password storage in files.
Operating System ConfigurationM1028
There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands:
set +o history and set -o history to start logging again;
unset HISTFILE being added to a user's .bash_rc file; and
ln -s /dev/null ~/.bash_history to write commands to /dev/nullin
Filter Network TrafficM1037
Limit access to the Instance Metadata API. A properly configured Web Application Firewall (WAF) may help prevent external adversaries from exploiting Server-side Request Forgery (SSRF) attacks that allow access to the Cloud Instance Metadata API.(Citation: RedLock Instance Metadata API 2018)
Restrict File and Directory PermissionsM1022
Restrict file shares to specific directories with access only to necessary users.
Limit Access to Resource Over NetworkM1035
Limit network access to sensitive services, such as the Instance Metadata API.
AuditM1047
Preemptively search for files containing passwords or other credentials and take actions to reduce the exposure risk when found.
Privileged Account ManagementM1026
If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has obtained credentials insecurely stored on targeted network appliances.(Citation: CISA AA24-... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) uses NirSoft tools to steal user credentials from the infected machine.(Citation: Ensilo Darkgate ... |
| S1091 | Pacu | Tool | [Pacu](https://attack.mitre.org/software/S1091) can search for sensitive data: for example, in Code Build environment variables, EC2 user data, and Cl... |
| S0373 | Astaroth | Malware | [Astaroth](https://attack.mitre.org/software/S0373) uses an external software known as NetPass to recover passwords. (Citation: Cybereason Astaroth Fe... |
| S1131 | NPPSPY | Tool | [NPPSPY](https://attack.mitre.org/software/S1131) captures credentials by recording them through an alternative network listener registered to the <co... |
References
Frequently Asked Questions
What is T1552 (Unsecured Credentials)?
T1552 is a MITRE ATT&CK technique named 'Unsecured Credentials'. It belongs to the Credential Access tactic(s). Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (...
How can T1552 be detected?
Detection of T1552 (Unsecured Credentials) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1552?
There are 11 documented mitigations for T1552. Key mitigations include: Encrypt Sensitive Information, Update Software, User Training, Active Directory Configuration, Password Policies.
Which threat groups use T1552?
Known threat groups using T1552 include: Volt Typhoon.