Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).(Citation: Brining MimiKatz to Unix)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PR.PS-01.01 | Configuration baselines | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
PR.PS-01.02 | Least functionality | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
PR.AA-05.02 | Privileged system access | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects against Unsecured Credentials through the use of privileged account management and the use of multi-factor authentication.
References
|
DE.CM-06.02 | Third-party access monitoring | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects against Unsecured Credentials through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
PR.PS-01.06 | Encryption management practices | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the Unsecured Credentials technique, best practice dictates that when possible, store keys on separate cryptographic hardware instead of on the local system to mitigate data theft of credentials stored in unsecure locations.
References
|
PR.PS-01.03 | Configuration deviation | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement provides protection from Unsecured Credentials through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
References
|
PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects against Unsecured Credentials through the use of revocation of keys and key management. Employing key protection strategies for key material such as private keys, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to compromise credentials.
References
|
ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
PR.AA-03.01 | Authentication requirements | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
PR.IR-01.01 | Network segmentation | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network filtering, defense-in-depth, and access isolation principles provides protection against adversaries trying to obtain unsecured credentials.
References
|
PR.IR-01.02 | Network device configurations | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Employing restrictions that limit network access and communications with services can prevent adversaries from finding stored credentials.
References
|
PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects against Unsecured Credentials through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
PR.IR-01.05 | Remote access protection | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
PR.IR-01.06 | Production environment segregation | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
ID.AM-08.05 | Data destruction procedures | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
PR.AA-01.01 | Identity and credential management | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects against Unsecured Credentials through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
PR.PS-01.05 | Encryption standards | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the Unsecured Credentials technique, best practice dictates that when possible, store keys on separate cryptographic hardware instead of on the local system to mitigate data theft of credentials stored in unsecure locations.
References
|
PR.PS-01.08 | End-user device protection | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects against Unsecured Credentials through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
attribute.confidentiality.data_disclosure | None | related-to | T1552 | Unsecured Credentials |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
microsoft_sentinel | Microsoft Sentinel | technique_scores | T1552 | Unsecured Credentials |
Comments
This control provides minimal to partial coverage for a minority of this technique's sub-techniques, resulting in an overall detection score of Minimal.
References
|
ai_threat_protection | Microsoft Defender for Cloud: AI Threat Protection | technique_scores | T1552 | Unsecured Credentials |
Comments
This control provides detection of unsecured credentials being divulged by AI model responses.
References
|
azure_dedicated_hsm | Azure Dedicated HSM | technique_scores | T1552 | Unsecured Credentials |
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
azure_key_vault | Azure Key Vault | technique_scores | T1552 | Unsecured Credentials |
Comments
This control provides a central, secure location for storage of credentials to reduce the possibility of attackers discovering unsecured credentials.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1552 | Unsecured Credentials |
Comments
This control does not address this technique's procedure example and provides minimal detection for some of its sub-techniques resulting in an overall Minimal score.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
cloud_hsm | Cloud Hardware Security Module (HSM) | technique_scores | T1552 | Unsecured Credentials |
Comments
Google Cloud's HSM may protect against adversary's attempts to leverage unsecured credentials found on compromised systems. Variations of this technique are difficult to mitigate, so a partial score was granted for this control's medium to high coverage factor.
References
|
cloud_key_management | Cloud Key Management | technique_scores | T1552 | Unsecured Credentials |
Comments
Cloud Key Management Service allows you to create, import, and manage cryptographic keys and perform cryptographic operations in a single centralized cloud service. Unsecured Credentials can be moved to the Cloud Key Management Service to protect from being stolen or abused. Since this service does not actually identify credentials that are currently insecure the score is low.
References
|
google_secops | Google Security Operations | technique_scores | T1552 | Unsecured Credentials |
Comments
Google Security Ops detects an attempt to scan registry hives for unsecured passwords.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/process_creation/t1214___credentials_in_registry.yaral
References
|
secret_manager | Secret Manager | technique_scores | T1552 | Unsecured Credentials |
Comments
This control provides a central, secure location for storage of credentials to reduce the possibility of attackers discovering unsecured credentials.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
amazon_guardduty | Amazon GuardDuty | technique_scores | T1552 | Unsecured Credentials |
Comments
This control provides minimal to partial coverage for a minority of this technique's sub-techniques, and without specific coverage for its procedures, resulting in an overall score of Minimal.
References
|
aws_cloudhsm | AWS CloudHSM | technique_scores | T1552 | Unsecured Credentials |
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
aws_config | AWS Config | technique_scores | T1552 | Unsecured Credentials |
Comments
The following AWS Config managed rules can identify insecure plaintext credentials within specific parts of a cloud environment: "codebuild-project-envvar-awscred-check" for credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) stored within environment variables, "codebuild-project-source-repo-url-check" for personal access tokens and/or credentials within source repository URLs.
The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that the contents of secrets in AWS Secrets Manager (including credentials) are properly secured to avoid adversary access: "secretsmanager-rotation-enabled-check", "secretsmanager-scheduled-rotation-success-check", "secretsmanager-secret-periodic-rotation", and "secretsmanager-using-cmk".
This control provides partial coverage for a minority of this technique's sub-techniques, in addition to the parent coverage above, resulting in an overall score of Partial.
References
|
aws_iot_device_defender | AWS IoT Device Defender | technique_scores | T1552 | Unsecured Credentials |
Comments
This control provides partial coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal.
References
|
aws_key_management_service | AWS Key Management Service | technique_scores | T1552 | Unsecured Credentials |
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
aws_secrets_manager | AWS Secrets Manager | technique_scores | T1552 | Unsecured Credentials |
Comments
This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PUR-AUS-E5 | Audit Solutions | Technique Scores | T1552 | Unsecured Credentials |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Unsecured Credential attacks due to Audit Solutions providing the visibility to allow admins to preemptively search for files containing passwords or other credentials and take actions to reduce the exposure risk when found.
License Requirements:
Microsoft 365 E3 and E5
References
|
EID-IDSS-E3 | Identity Secure Score | Technique Scores | T1552 | Unsecured Credentials |
Comments
This control's "Resolve unsecure account attributes" provides recommendations that can lead to strengthening how accounts are stored in Active Directory. This control provides recommendations specific to a few types of unsecured credentials (reversible and weakly encrypted credentials) while not providing recommendations for any other, resulting in a Minimal score.
References
|
DEF-IR-E5 | Incident Response | Technique Scores | T1552 | Unsecured Credentials |
Comments
An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.
Microsoft 365 Defender Incident Response responds to unsecure credential attacks due to Incident Response monitoring for newly executed processes, suspicious file access activity, and application logs for activity that may highlight malicious attempts to access application data.
License Requirements:
Microsoft Defender XDR
References
|
DEF-ATH-E5 | Advanced Threat Hunting | Technique Scores | T1552 | Unsecured Credentials |
Comments
Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.
Advanced Threat Hunting Detects Unsecured Credentials attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps.
License Requirements:
Microsoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan 2
References
|
PUR-INPR-E5 | Information Protection | Technique Scores | T1552 | Unsecured Credentials |
Comments
Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly.
Information Protection Detects Unsecured Credential attacks due to it detecting and encrypting files containing personally identifying information and other sensitive data that is shared in a cloud app and applying sensitivity labels to limit access only to employees in your company.
License Requirements:
Microsoft Defender for Office 365 plan 1 and plan 2
References
|
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1552.005 | Cloud Instance Metadata API | 25 |
T1552.002 | Credentials in Registry | 27 |
T1552.004 | Private Keys | 39 |
T1552.003 | Bash History | 9 |
T1552.001 | Credentials In Files | 31 |
T1552.006 | Group Policy Preferences | 19 |
T1552.008 | Chat Messages | 9 |
T1552.007 | Container API | 37 |