Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Shell History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).(Citation: Brining MimiKatz to Unix)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.confidentiality.data_disclosure | Confirmed or potential data disclosure | related-to | T1552 | Unsecured Credentials |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1552.005 | Cloud Instance Metadata API | 2 |
| T1552.002 | Credentials in Registry | 2 |
| T1552.004 | Private Keys | 2 |
| T1552.003 | Shell History | 2 |
| T1552.001 | Credentials In Files | 2 |
| T1552.006 | Group Policy Preferences | 3 |
| T1552.008 | Chat Messages | 3 |
| T1552.007 | Container API | 1 |