Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).(Citation: Brining MimiKatz to Unix)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PR.PS-01.01 | Configuration baselines | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
PR.PS-01.01 | Configuration baselines | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
PR.PS-01.02 | Least functionality | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
PR.AA-05.02 | Privileged system access | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects against Unsecured Credentials through the use of privileged account management and the use of multi-factor authentication.
References
|
DE.CM-06.02 | Third-party access monitoring | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects against Unsecured Credentials through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
PR.PS-01.06 | Encryption management practices | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the Unsecured Credentials technique, best practice dictates that when possible, store keys on separate cryptographic hardware instead of on the local system to mitigate data theft of credentials stored in unsecure locations.
References
|
PR.PS-01.03 | Configuration deviation | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement provides protection from Unsecured Credentials through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
References
|
PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects against Unsecured Credentials through the use of revocation of keys and key management. Employing key protection strategies for key material such as private keys, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to compromise credentials.
References
|
ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
PR.AA-03.01 | Authentication requirements | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
PR.IR-01.01 | Network segmentation | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network filtering, defense-in-depth, and access isolation principles provides protection against adversaries trying to obtain unsecured credentials.
References
|
PR.IR-01.02 | Network device configurations | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Employing restrictions that limit network access and communications with services can prevent adversaries from finding stored credentials.
References
|
PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects against Unsecured Credentials through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
PR.IR-01.05 | Remote access protection | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
PR.IR-01.06 | Production environment segregation | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
ID.AM-08.05 | Data destruction procedures | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
PR.AA-01.01 | Identity and credential management | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects against Unsecured Credentials through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
PR.PS-01.05 | Encryption standards | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the Unsecured Credentials technique, best practice dictates that when possible, store keys on separate cryptographic hardware instead of on the local system to mitigate data theft of credentials stored in unsecure locations.
References
|
PR.PS-01.08 | End-user device protection | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects against Unsecured Credentials through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
attribute.confidentiality.data_disclosure | None | related-to | T1552 | Unsecured Credentials |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
ai_threat_protection | Microsoft Defender for Cloud: AI Threat Protection | technique_scores | T1552 | Unsecured Credentials |
Comments
This control provides detection of unsecured credentials being divulged by AI model responses.
References
|
azure_dedicated_hsm | Azure Dedicated HSM | technique_scores | T1552 | Unsecured Credentials |
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
azure_key_vault | Azure Key Vault | technique_scores | T1552 | Unsecured Credentials |
Comments
This control provides a central, secure location for storage of credentials to reduce the possibility of attackers discovering unsecured credentials.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1552 | Unsecured Credentials |
Comments
This control does not address this technique's procedure example and provides minimal detection for some of its sub-techniques resulting in an overall Minimal score.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
cloud_hsm | Cloud Hardware Security Module (HSM) | technique_scores | T1552 | Unsecured Credentials |
Comments
Google Cloud's HSM may protect against adversary's attempts to leverage unsecured credentials found on compromised systems. Variations of this technique are difficult to mitigate, so a partial score was granted for this control's medium to high coverage factor.
References
|
cloud_key_management | Cloud Key Management | technique_scores | T1552 | Unsecured Credentials |
Comments
Cloud Key Management Service allows you to create, import, and manage cryptographic keys and perform cryptographic operations in a single centralized cloud service. Unsecured Credentials can be moved to the Cloud Key Management Service to protect from being stolen or abused. Since this service does not actually identify credentials that are currently insecure the score is low.
References
|
google_secops | Google Security Operations | technique_scores | T1552 | Unsecured Credentials |
Comments
Google Security Ops detects an attempt to scan registry hives for unsecured passwords.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/process_creation/t1214___credentials_in_registry.yaral
References
|
secret_manager | Secret Manager | technique_scores | T1552 | Unsecured Credentials |
Comments
This control provides a central, secure location for storage of credentials to reduce the possibility of attackers discovering unsecured credentials.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
amazon_guardduty | Amazon GuardDuty | technique_scores | T1552 | Unsecured Credentials |
Comments
This control provides minimal to partial coverage for a minority of this technique's sub-techniques, and without specific coverage for its procedures, resulting in an overall score of Minimal.
References
|
aws_cloudhsm | AWS CloudHSM | technique_scores | T1552 | Unsecured Credentials |
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
aws_config | AWS Config | technique_scores | T1552 | Unsecured Credentials |
Comments
The following AWS Config managed rules can identify insecure plaintext credentials within specific parts of a cloud environment: "codebuild-project-envvar-awscred-check" for credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) stored within environment variables, "codebuild-project-source-repo-url-check" for personal access tokens and/or credentials within source repository URLs.
The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that the contents of secrets in AWS Secrets Manager (including credentials) are properly secured to avoid adversary access: "secretsmanager-rotation-enabled-check", "secretsmanager-scheduled-rotation-success-check", "secretsmanager-secret-periodic-rotation", and "secretsmanager-using-cmk".
This control provides partial coverage for a minority of this technique's sub-techniques, in addition to the parent coverage above, resulting in an overall score of Partial.
References
|
aws_iot_device_defender | AWS IoT Device Defender | technique_scores | T1552 | Unsecured Credentials |
Comments
This control provides partial coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal.
References
|
aws_key_management_service | AWS Key Management Service | technique_scores | T1552 | Unsecured Credentials |
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
aws_secrets_manager | AWS Secrets Manager | technique_scores | T1552 | Unsecured Credentials |
Comments
This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.
References
|
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1552.005 | Cloud Instance Metadata API | 25 |
T1552.002 | Credentials in Registry | 27 |
T1552.004 | Private Keys | 37 |
T1552.003 | Bash History | 9 |
T1552.001 | Credentials In Files | 30 |
T1552.006 | Group Policy Preferences | 19 |
T1552.008 | Chat Messages | 6 |
T1552.007 | Container API | 35 |