Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).(Citation: Brining MimiKatz to Unix)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.confidentiality.data_disclosure | None | related-to | T1552 | Unsecured Credentials |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_hsm | Cloud Hardware Security Module (HSM) | technique_scores | T1552 | Unsecured Credentials |
Comments
Google Cloud's HSM may protect against adversary's attempts to leverage unsecured credentials found on compromised systems. Variations of this technique are difficult to mitigate, so a partial score was granted for this control's medium to high coverage factor.
References
|
| cloud_key_management | Cloud Key Management | technique_scores | T1552 | Unsecured Credentials |
Comments
Cloud Key Management Service allows you to create, import, and manage cryptographic keys and perform cryptographic operations in a single centralized cloud service. Unsecured Credentials can be moved to the Cloud Key Management Service to protect from being stolen or abused. Since this service does not actually identify credentials that are currently insecure the score is low.
References
|
| google_secops | Google Security Operations | technique_scores | T1552 | Unsecured Credentials |
Comments
Google Security Ops detects an attempt to scan registry hives for unsecured passwords.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/process_creation/t1214___credentials_in_registry.yaral
References
|
| secret_manager | Secret Manager | technique_scores | T1552 | Unsecured Credentials |
Comments
This control provides a central, secure location for storage of credentials to reduce the possibility of attackers discovering unsecured credentials.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1552 | Unsecured Credentials |
Comments
This control provides minimal to partial coverage for a minority of this technique's sub-techniques, and without specific coverage for its procedures, resulting in an overall score of Minimal.
References
|
| aws_cloudhsm | AWS CloudHSM | technique_scores | T1552 | Unsecured Credentials |
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
| aws_config | AWS Config | technique_scores | T1552 | Unsecured Credentials |
Comments
The following AWS Config managed rules can identify insecure plaintext credentials within specific parts of a cloud environment: "codebuild-project-envvar-awscred-check" for credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) stored within environment variables, "codebuild-project-source-repo-url-check" for personal access tokens and/or credentials within source repository URLs.
The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that the contents of secrets in AWS Secrets Manager (including credentials) are properly secured to avoid adversary access: "secretsmanager-rotation-enabled-check", "secretsmanager-scheduled-rotation-success-check", "secretsmanager-secret-periodic-rotation", and "secretsmanager-using-cmk".
This control provides partial coverage for a minority of this technique's sub-techniques, in addition to the parent coverage above, resulting in an overall score of Partial.
References
|
| aws_iot_device_defender | AWS IoT Device Defender | technique_scores | T1552 | Unsecured Credentials |
Comments
This control provides partial coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal.
References
|
| aws_key_management_service | AWS Key Management Service | technique_scores | T1552 | Unsecured Credentials |
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
| aws_secrets_manager | AWS Secrets Manager | technique_scores | T1552 | Unsecured Credentials |
Comments
This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1552.005 | Cloud Instance Metadata API | 5 |
| T1552.002 | Credentials in Registry | 3 |
| T1552.004 | Private Keys | 8 |
| T1552.003 | Bash History | 2 |
| T1552.001 | Credentials In Files | 9 |
| T1552.006 | Group Policy Preferences | 2 |
| T1552.008 | Chat Messages | 3 |
| T1552.007 | Container API | 6 |