T1552 Unsecured Credentials Mappings

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).(Citation: Brining MimiKatz to Unix)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
attribute.confidentiality.data_disclosure None related-to T1552 Unsecured Credentials
amazon_guardduty Amazon GuardDuty technique_scores T1552 Unsecured Credentials
Comments
This control provides minimal to partial coverage for a minority of this technique's sub-techniques, and without specific coverage for its procedures, resulting in an overall score of Minimal.
References
aws_cloudhsm AWS CloudHSM technique_scores T1552 Unsecured Credentials
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
aws_config AWS Config technique_scores T1552 Unsecured Credentials
Comments
The following AWS Config managed rules can identify insecure plaintext credentials within specific parts of a cloud environment: "codebuild-project-envvar-awscred-check" for credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) stored within environment variables, "codebuild-project-source-repo-url-check" for personal access tokens and/or credentials within source repository URLs. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that the contents of secrets in AWS Secrets Manager (including credentials) are properly secured to avoid adversary access: "secretsmanager-rotation-enabled-check", "secretsmanager-scheduled-rotation-success-check", "secretsmanager-secret-periodic-rotation", and "secretsmanager-using-cmk". This control provides partial coverage for a minority of this technique's sub-techniques, in addition to the parent coverage above, resulting in an overall score of Partial.
References
aws_iot_device_defender AWS IoT Device Defender technique_scores T1552 Unsecured Credentials
aws_key_management_service AWS Key Management Service technique_scores T1552 Unsecured Credentials
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
aws_secrets_manager AWS Secrets Manager technique_scores T1552 Unsecured Credentials
Comments
This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.
References

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1552.005 Cloud Instance Metadata API 4
T1552.002 Credentials in Registry 3
T1552.004 Private Keys 6
T1552.003 Bash History 2
T1552.001 Credentials In Files 7
T1552.006 Group Policy Preferences 2
T1552.008 Chat Messages 2
T1552.007 Container API 2