T1552 Unsecured Credentials Mappings

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).(Citation: Brining MimiKatz to Unix)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1552 Unsecured Credentials
CM-06 Configuration Settings mitigates T1552 Unsecured Credentials
CM-05 Access Restrictions for Change mitigates T1552 Unsecured Credentials
IA-05 Authenticator Management mitigates T1552 Unsecured Credentials
AC-17 Remote Access mitigates T1552 Unsecured Credentials
SC-12 Cryptographic Key Establishment and Management mitigates T1552 Unsecured Credentials
SA-15 Development Process, Standards, and Tools mitigates T1552 Unsecured Credentials
AC-19 Access Control for Mobile Devices mitigates T1552 Unsecured Credentials
IA-04 Identifier Management mitigates T1552 Unsecured Credentials
SC-28 Protection of Information at Rest mitigates T1552 Unsecured Credentials
SC-04 Information in Shared System Resources mitigates T1552 Unsecured Credentials
SI-12 Information Management and Retention mitigates T1552 Unsecured Credentials
SI-02 Flaw Remediation mitigates T1552 Unsecured Credentials
RA-05 Vulnerability Monitoring and Scanning mitigates T1552 Unsecured Credentials
IA-03 Device Identification and Authentication mitigates T1552 Unsecured Credentials
SI-10 Information Input Validation mitigates T1552 Unsecured Credentials
SI-15 Information Output Filtering mitigates T1552 Unsecured Credentials
SI-07 Software, Firmware, and Information Integrity mitigates T1552 Unsecured Credentials
AC-16 Security and Privacy Attributes mitigates T1552 Unsecured Credentials
AC-18 Wireless Access mitigates T1552 Unsecured Credentials
AC-20 Use of External Systems mitigates T1552 Unsecured Credentials
CM-02 Baseline Configuration mitigates T1552 Unsecured Credentials
CM-02 Baseline Configuration mitigates T1552 Unsecured Credentials
SA-11 Developer Testing and Evaluation mitigates T1552 Unsecured Credentials
IA-02 Identification and Authentication (Organizational Users) mitigates T1552 Unsecured Credentials
CM-07 Least Functionality mitigates T1552 Unsecured Credentials
SI-04 System Monitoring mitigates T1552 Unsecured Credentials
AC-02 Account Management mitigates T1552 Unsecured Credentials
AC-03 Access Enforcement mitigates T1552 Unsecured Credentials
AC-04 Information Flow Enforcement mitigates T1552 Unsecured Credentials
AC-05 Separation of Duties mitigates T1552 Unsecured Credentials
AC-06 Least Privilege mitigates T1552 Unsecured Credentials
SC-07 Boundary Protection mitigates T1552 Unsecured Credentials

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
attribute.confidentiality.data_disclosure None related-to T1552 Unsecured Credentials

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
cloud_hsm Cloud Hardware Security Module (HSM) technique_scores T1552 Unsecured Credentials
Comments
Google Cloud's HSM may protect against adversary's attempts to leverage unsecured credentials found on compromised systems. Variations of this technique are difficult to mitigate, so a partial score was granted for this control's medium to high coverage factor.
References
cloud_key_management Cloud Key Management technique_scores T1552 Unsecured Credentials
Comments
Cloud Key Management Service allows you to create, import, and manage cryptographic keys and perform cryptographic operations in a single centralized cloud service. Unsecured Credentials can be moved to the Cloud Key Management Service to protect from being stolen or abused. Since this service does not actually identify credentials that are currently insecure the score is low.
References
google_secops Google Security Operations technique_scores T1552 Unsecured Credentials
Comments
Google Security Ops detects an attempt to scan registry hives for unsecured passwords. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/process_creation/t1214___credentials_in_registry.yaral
References
secret_manager Secret Manager technique_scores T1552 Unsecured Credentials
Comments
This control provides a central, secure location for storage of credentials to reduce the possibility of attackers discovering unsecured credentials.
References

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
amazon_guardduty Amazon GuardDuty technique_scores T1552 Unsecured Credentials
Comments
This control provides minimal to partial coverage for a minority of this technique's sub-techniques, and without specific coverage for its procedures, resulting in an overall score of Minimal.
References
aws_cloudhsm AWS CloudHSM technique_scores T1552 Unsecured Credentials
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
aws_config AWS Config technique_scores T1552 Unsecured Credentials
Comments
The following AWS Config managed rules can identify insecure plaintext credentials within specific parts of a cloud environment: "codebuild-project-envvar-awscred-check" for credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) stored within environment variables, "codebuild-project-source-repo-url-check" for personal access tokens and/or credentials within source repository URLs. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that the contents of secrets in AWS Secrets Manager (including credentials) are properly secured to avoid adversary access: "secretsmanager-rotation-enabled-check", "secretsmanager-scheduled-rotation-success-check", "secretsmanager-secret-periodic-rotation", and "secretsmanager-using-cmk". This control provides partial coverage for a minority of this technique's sub-techniques, in addition to the parent coverage above, resulting in an overall score of Partial.
References
aws_iot_device_defender AWS IoT Device Defender technique_scores T1552 Unsecured Credentials
aws_key_management_service AWS Key Management Service technique_scores T1552 Unsecured Credentials
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
aws_secrets_manager AWS Secrets Manager technique_scores T1552 Unsecured Credentials
Comments
This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.
References

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1552.005 Cloud Instance Metadata API 19
T1552.002 Credentials in Registry 21
T1552.004 Private Keys 30
T1552.003 Bash History 6
T1552.001 Credentials In Files 27
T1552.006 Group Policy Preferences 16
T1552.008 Chat Messages 6
T1552.007 Container API 20