1. Home
  2. ATT&CK Techniques
  3. T1552 Unsecured Credentials

T1552 Unsecured Credentials Mappings

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
cloud_hardware_security_module_(hsm) Cloud Hardware Security Module (HSM) technique_scores T1552 Unsecured Credentials
Comments
Google Cloud's HSM may protect against adversary's attempts to leverage unsecured credentials found on compromised systems. Variations of this technique are difficult to mitigate, so a partial score was granted for this control's medium to high coverage factor.
References
  1. https://cloud.google.com/kms/docs/hsm
actifio_go Actifio Go technique_scores T1552 Unsecured Credentials
Comments
Actifio Sky can be configured with optional storage pool encryption. Administrative end-user credentials are hashed with a strong one-way salted SHA256 hash in the appliance database. Credentials used by the appliance to access other systems (vCenters, databases,) are stored in an AES256 encrypted form. This provides significant protection against adversaries searching compromised Actifio systems for insecurely stored credentials. However, this does not provide protection for other credentials stored on non-Actifio components. This has resulted in a score of partial.
References
  1. https://www.actifio.com/solutions/cloud/google/
cloud_key_management Cloud Key Management technique_scores T1552 Unsecured Credentials
Comments
References
  1. https://cloud.google.com/security-key-management
chronicle Chronicle technique_scores T1552 Unsecured Credentials
Comments
Chronicle detects an attempt to scan registry hives for unsecured passwords. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/process_creation/t1214___credentials_in_registry.yaral
References
  1. https://cloud.google.com/chronicle/docs/overview
  2. https://github.com/chronicle/detection-rules
secret_manager Secret Manager technique_scores T1552 Unsecured Credentials
Comments
This control provides a central, secure location for storage of credentials to reduce the possibility of attackers discovering unsecured credentials.
References
  1. https://cloud.google.com/secret-manager/docs/overview

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1552.005 Cloud Instance Metadata API 1
T1552.007 Container API 3
T1552.001 Credentials In Files 2
T1552.004 Private Keys 2