Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).(Citation: Brining MimiKatz to Unix)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
attribute.confidentiality.data_disclosure | None | related-to | T1552 | Unsecured Credentials | |
amazon_guardduty | Amazon GuardDuty | technique_scores | T1552 | Unsecured Credentials |
Comments
This control provides minimal to partial coverage for a minority of this technique's sub-techniques, and without specific coverage for its procedures, resulting in an overall score of Minimal.
References
|
aws_cloudhsm | AWS CloudHSM | technique_scores | T1552 | Unsecured Credentials |
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
aws_config | AWS Config | technique_scores | T1552 | Unsecured Credentials |
Comments
The following AWS Config managed rules can identify insecure plaintext credentials within specific parts of a cloud environment: "codebuild-project-envvar-awscred-check" for credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) stored within environment variables, "codebuild-project-source-repo-url-check" for personal access tokens and/or credentials within source repository URLs.
The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that the contents of secrets in AWS Secrets Manager (including credentials) are properly secured to avoid adversary access: "secretsmanager-rotation-enabled-check", "secretsmanager-scheduled-rotation-success-check", "secretsmanager-secret-periodic-rotation", and "secretsmanager-using-cmk".
This control provides partial coverage for a minority of this technique's sub-techniques, in addition to the parent coverage above, resulting in an overall score of Partial.
References
|
aws_iot_device_defender | AWS IoT Device Defender | technique_scores | T1552 | Unsecured Credentials |
Comments
This control provides partial coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal.
References
|
aws_key_management_service | AWS Key Management Service | technique_scores | T1552 | Unsecured Credentials |
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
aws_secrets_manager | AWS Secrets Manager | technique_scores | T1552 | Unsecured Credentials |
Comments
This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.
References
|
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1552.005 | Cloud Instance Metadata API | 4 |
T1552.002 | Credentials in Registry | 3 |
T1552.004 | Private Keys | 6 |
T1552.003 | Bash History | 2 |
T1552.001 | Credentials In Files | 7 |
T1552.006 | Group Policy Preferences | 2 |
T1552.008 | Chat Messages | 2 |
T1552.007 | Container API | 2 |