T1552 Unsecured Credentials

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).(Citation: Brining MimiKatz to Unix)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.01 Configuration baselines Mitigates T1552 Unsecured Credentials
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
    PR.PS-01.01 Configuration baselines Mitigates T1552 Unsecured Credentials
    Comments
    This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
    References
      PR.PS-01.02 Least functionality Mitigates T1552 Unsecured Credentials
      Comments
      This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
      References
        PR.AA-05.02 Privileged system access Mitigates T1552 Unsecured Credentials
        Comments
        This diagnostic statement protects against Unsecured Credentials through the use of privileged account management and the use of multi-factor authentication.
        References
          DE.CM-06.02 Third-party access monitoring Mitigates T1552 Unsecured Credentials
          Comments
          This diagnostic statement protects against Unsecured Credentials through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
          References
            PR.PS-01.06 Encryption management practices Mitigates T1552 Unsecured Credentials
            Comments
            This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the Unsecured Credentials technique, best practice dictates that when possible, store keys on separate cryptographic hardware instead of on the local system to mitigate data theft of credentials stored in unsecure locations.
            References
              PR.PS-01.03 Configuration deviation Mitigates T1552 Unsecured Credentials
              Comments
              This diagnostic statement provides protection from Unsecured Credentials through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
              References
                PR.PS-01.07 Cryptographic keys and certificates Mitigates T1552 Unsecured Credentials
                Comments
                This diagnostic statement protects against Unsecured Credentials through the use of revocation of keys and key management. Employing key protection strategies for key material such as private keys, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to compromise credentials.
                References
                  ID.AM-08.03 Data governance and lifecycle management Mitigates T1552 Unsecured Credentials
                  Comments
                  This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
                  References
                    PR.AA-03.01 Authentication requirements Mitigates T1552 Unsecured Credentials
                    Comments
                    This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
                    References
                      PR.IR-01.01 Network segmentation Mitigates T1552 Unsecured Credentials
                      Comments
                      This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network filtering, defense-in-depth, and access isolation principles provides protection against adversaries trying to obtain unsecured credentials.
                      References
                        PR.IR-01.02 Network device configurations Mitigates T1552 Unsecured Credentials
                        Comments
                        This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Employing restrictions that limit network access and communications with services can prevent adversaries from finding stored credentials.
                        References
                          PR.IR-01.03 Network communications integrity and availability Mitigates T1552 Unsecured Credentials
                          Comments
                          This diagnostic statement protects against Unsecured Credentials through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
                          References
                            PR.IR-01.05 Remote access protection Mitigates T1552 Unsecured Credentials
                            Comments
                            This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
                            References
                              PR.IR-01.06 Production environment segregation Mitigates T1552 Unsecured Credentials
                              Comments
                              This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
                              References
                                ID.AM-08.05 Data destruction procedures Mitigates T1552 Unsecured Credentials
                                Comments
                                This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
                                References
                                  PR.AA-01.01 Identity and credential management Mitigates T1552 Unsecured Credentials
                                  Comments
                                  This diagnostic statement protects against Unsecured Credentials through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
                                  References
                                    PR.PS-01.05 Encryption standards Mitigates T1552 Unsecured Credentials
                                    Comments
                                    This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the Unsecured Credentials technique, best practice dictates that when possible, store keys on separate cryptographic hardware instead of on the local system to mitigate data theft of credentials stored in unsecure locations.
                                    References
                                      PR.PS-01.08 End-user device protection Mitigates T1552 Unsecured Credentials
                                      Comments
                                      This diagnostic statement protects against Unsecured Credentials through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
                                      References

                                        NIST 800-53 Mappings

                                        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                                        CA-07 Continuous Monitoring mitigates T1552 Unsecured Credentials
                                        CM-06 Configuration Settings mitigates T1552 Unsecured Credentials
                                        CM-05 Access Restrictions for Change mitigates T1552 Unsecured Credentials
                                        IA-05 Authenticator Management mitigates T1552 Unsecured Credentials
                                        AC-17 Remote Access mitigates T1552 Unsecured Credentials
                                        SC-12 Cryptographic Key Establishment and Management mitigates T1552 Unsecured Credentials
                                        SA-15 Development Process, Standards, and Tools mitigates T1552 Unsecured Credentials
                                        AC-19 Access Control for Mobile Devices mitigates T1552 Unsecured Credentials
                                        IA-04 Identifier Management mitigates T1552 Unsecured Credentials
                                        SC-28 Protection of Information at Rest mitigates T1552 Unsecured Credentials
                                        SC-04 Information in Shared System Resources mitigates T1552 Unsecured Credentials
                                        SI-12 Information Management and Retention mitigates T1552 Unsecured Credentials
                                        SI-02 Flaw Remediation mitigates T1552 Unsecured Credentials
                                        RA-05 Vulnerability Monitoring and Scanning mitigates T1552 Unsecured Credentials
                                        IA-03 Device Identification and Authentication mitigates T1552 Unsecured Credentials
                                        SI-10 Information Input Validation mitigates T1552 Unsecured Credentials
                                        SI-15 Information Output Filtering mitigates T1552 Unsecured Credentials
                                        SI-07 Software, Firmware, and Information Integrity mitigates T1552 Unsecured Credentials
                                        AC-16 Security and Privacy Attributes mitigates T1552 Unsecured Credentials
                                        AC-18 Wireless Access mitigates T1552 Unsecured Credentials
                                        AC-20 Use of External Systems mitigates T1552 Unsecured Credentials
                                        CM-02 Baseline Configuration mitigates T1552 Unsecured Credentials
                                        CM-02 Baseline Configuration mitigates T1552 Unsecured Credentials
                                        SA-11 Developer Testing and Evaluation mitigates T1552 Unsecured Credentials
                                        IA-02 Identification and Authentication (Organizational Users) mitigates T1552 Unsecured Credentials
                                        CM-07 Least Functionality mitigates T1552 Unsecured Credentials
                                        SI-04 System Monitoring mitigates T1552 Unsecured Credentials
                                        AC-02 Account Management mitigates T1552 Unsecured Credentials
                                        AC-03 Access Enforcement mitigates T1552 Unsecured Credentials
                                        AC-04 Information Flow Enforcement mitigates T1552 Unsecured Credentials
                                        AC-05 Separation of Duties mitigates T1552 Unsecured Credentials
                                        AC-06 Least Privilege mitigates T1552 Unsecured Credentials
                                        SC-07 Boundary Protection mitigates T1552 Unsecured Credentials

                                        VERIS Mappings

                                        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                                        attribute.confidentiality.data_disclosure None related-to T1552 Unsecured Credentials

                                        Azure Mappings

                                        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                                        ai_threat_protection Microsoft Defender for Cloud: AI Threat Protection technique_scores T1552 Unsecured Credentials
                                        Comments
                                        This control provides detection of unsecured credentials being divulged by AI model responses.
                                        References
                                        azure_dedicated_hsm Azure Dedicated HSM technique_scores T1552 Unsecured Credentials
                                        Comments
                                        This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
                                        References
                                        azure_key_vault Azure Key Vault technique_scores T1552 Unsecured Credentials
                                        Comments
                                        This control provides a central, secure location for storage of credentials to reduce the possibility of attackers discovering unsecured credentials.
                                        References
                                        defender_for_app_service Microsoft Defender for Cloud: Defender for App Service technique_scores T1552 Unsecured Credentials

                                        GCP Mappings

                                        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                                        cloud_hsm Cloud Hardware Security Module (HSM) technique_scores T1552 Unsecured Credentials
                                        Comments
                                        Google Cloud's HSM may protect against adversary's attempts to leverage unsecured credentials found on compromised systems. Variations of this technique are difficult to mitigate, so a partial score was granted for this control's medium to high coverage factor.
                                        References
                                        cloud_key_management Cloud Key Management technique_scores T1552 Unsecured Credentials
                                        Comments
                                        Cloud Key Management Service allows you to create, import, and manage cryptographic keys and perform cryptographic operations in a single centralized cloud service. Unsecured Credentials can be moved to the Cloud Key Management Service to protect from being stolen or abused. Since this service does not actually identify credentials that are currently insecure the score is low.
                                        References
                                        google_secops Google Security Operations technique_scores T1552 Unsecured Credentials
                                        Comments
                                        Google Security Ops detects an attempt to scan registry hives for unsecured passwords. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/process_creation/t1214___credentials_in_registry.yaral
                                        References
                                        secret_manager Secret Manager technique_scores T1552 Unsecured Credentials
                                        Comments
                                        This control provides a central, secure location for storage of credentials to reduce the possibility of attackers discovering unsecured credentials.
                                        References

                                        AWS Mappings

                                        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                                        amazon_guardduty Amazon GuardDuty technique_scores T1552 Unsecured Credentials
                                        Comments
                                        This control provides minimal to partial coverage for a minority of this technique's sub-techniques, and without specific coverage for its procedures, resulting in an overall score of Minimal.
                                        References
                                        aws_cloudhsm AWS CloudHSM technique_scores T1552 Unsecured Credentials
                                        Comments
                                        This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
                                        References
                                        aws_config AWS Config technique_scores T1552 Unsecured Credentials
                                        Comments
                                        The following AWS Config managed rules can identify insecure plaintext credentials within specific parts of a cloud environment: "codebuild-project-envvar-awscred-check" for credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) stored within environment variables, "codebuild-project-source-repo-url-check" for personal access tokens and/or credentials within source repository URLs. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that the contents of secrets in AWS Secrets Manager (including credentials) are properly secured to avoid adversary access: "secretsmanager-rotation-enabled-check", "secretsmanager-scheduled-rotation-success-check", "secretsmanager-secret-periodic-rotation", and "secretsmanager-using-cmk". This control provides partial coverage for a minority of this technique's sub-techniques, in addition to the parent coverage above, resulting in an overall score of Partial.
                                        References
                                        aws_iot_device_defender AWS IoT Device Defender technique_scores T1552 Unsecured Credentials
                                        aws_key_management_service AWS Key Management Service technique_scores T1552 Unsecured Credentials
                                        Comments
                                        This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
                                        References
                                        aws_secrets_manager AWS Secrets Manager technique_scores T1552 Unsecured Credentials
                                        Comments
                                        This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.
                                        References

                                        ATT&CK Subtechniques

                                        Technique ID Technique Name Number of Mappings
                                        T1552.005 Cloud Instance Metadata API 25
                                        T1552.002 Credentials in Registry 27
                                        T1552.004 Private Keys 37
                                        T1552.003 Bash History 9
                                        T1552.001 Credentials In Files 30
                                        T1552.006 Group Policy Preferences 19
                                        T1552.008 Chat Messages 6
                                        T1552.007 Container API 35