1. Home
  2. ATT&CK Techniques
  3. T1552 Unsecured Credentials

T1552 Unsecured Credentials Mappings

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-16 Security and Privacy Attributes Protects T1552 Unsecured Credentials
AC-17 Remote Access Protects T1552 Unsecured Credentials
AC-18 Wireless Access Protects T1552 Unsecured Credentials
AC-19 Access Control for Mobile Devices Protects T1552 Unsecured Credentials
AC-2 Account Management Protects T1552 Unsecured Credentials
AC-20 Use of External Systems Protects T1552 Unsecured Credentials
AC-3 Access Enforcement Protects T1552 Unsecured Credentials
AC-4 Information Flow Enforcement Protects T1552 Unsecured Credentials
AC-5 Separation of Duties Protects T1552 Unsecured Credentials
AC-6 Least Privilege Protects T1552 Unsecured Credentials
CA-7 Continuous Monitoring Protects T1552 Unsecured Credentials
CA-8 Penetration Testing Protects T1552 Unsecured Credentials
CM-2 Baseline Configuration Protects T1552 Unsecured Credentials
CM-5 Access Restrictions for Change Protects T1552 Unsecured Credentials
CM-6 Configuration Settings Protects T1552 Unsecured Credentials
CM-7 Least Functionality Protects T1552 Unsecured Credentials
IA-2 Identification and Authentication (organizational Users) Protects T1552 Unsecured Credentials
IA-3 Device Identification and Authentication Protects T1552 Unsecured Credentials
IA-4 Identifier Management Protects T1552 Unsecured Credentials
IA-5 Authenticator Management Protects T1552 Unsecured Credentials
RA-5 Vulnerability Monitoring and Scanning Protects T1552 Unsecured Credentials
SA-11 Developer Testing and Evaluation Protects T1552 Unsecured Credentials
SA-15 Development Process, Standards, and Tools Protects T1552 Unsecured Credentials
SC-12 Cryptographic Key Establishment and Management Protects T1552 Unsecured Credentials
SC-28 Protection of Information at Rest Protects T1552 Unsecured Credentials
SC-4 Information in Shared System Resources Protects T1552 Unsecured Credentials
SC-7 Boundary Protection Protects T1552 Unsecured Credentials
SI-10 Information Input Validation Protects T1552 Unsecured Credentials
SI-12 Information Management and Retention Protects T1552 Unsecured Credentials
SI-15 Information Output Filtering Protects T1552 Unsecured Credentials
SI-2 Flaw Remediation Protects T1552 Unsecured Credentials
SI-4 System Monitoring Protects T1552 Unsecured Credentials
SI-7 Software, Firmware, and Information Integrity Protects T1552 Unsecured Credentials

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
azure_sentinel Azure Sentinel technique_scores T1552 Unsecured Credentials
Comments
This control provides a highly specific detection for a misconfiguration that can lead to one of this technique's sub-techniques, ultimately preventing it.
References
  1. https://docs.microsoft.com/en-us/azure/sentinel/overview
  2. https://docs.microsoft.com/en-us/azure/sentinel/hunting
azure_sentinel Azure Sentinel technique_scores T1552 Unsecured Credentials
Comments
This control provides minimal to partial coverage for a minority of this technique's sub-techniques, resulting in an overall detection score of Minimal.
References
  1. https://docs.microsoft.com/en-us/azure/sentinel/overview
  2. https://docs.microsoft.com/en-us/azure/sentinel/hunting
azure_dedicated_hsm Azure Dedicated HSM technique_scores T1552 Unsecured Credentials
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
  1. https://docs.microsoft.com/en-us/azure/dedicated-hsm/overview
  2. https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/
managed_identities_for_azure_resources Managed identities for Azure resources technique_scores T1552 Unsecured Credentials
Comments
This control provides protection for one of this technique's sub-techniques, while not providing any protection for its procedure examples nor its remaining sub-techniques, resulting in an overall Minimal score.
References
  1. https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
azure_defender_for_app_service Azure Defender for App Service technique_scores T1552 Unsecured Credentials
Comments
This control does not address this technique's procedure example and provides minimal detection for some of its sub-techniques resulting in an overall Minimal score.
References
  1. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference
  2. https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction
  3. https://azure.microsoft.com/en-us/services/app-service/
  4. https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction
azure_ad_identity_secure_score Azure AD Identity Secure Score technique_scores T1552 Unsecured Credentials
Comments
This control's "Resolve unsecure account attributes" provides recommendations that can lead to strengthening how accounts are stored in Active Directory. This control provides recommendations specific to a few types of unsecured credentials (reversible and weakly encrypted credentials) while not providing recommendations for any other, resulting in a Minimal score.
References
  1. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score
  2. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#
  3. https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes
  4. https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675
azure_key_vault Azure Key Vault technique_scores T1552 Unsecured Credentials
Comments
This control provides a central, secure location for storage of credentials to reduce the possibility of attackers discovering unsecured credentials.
References
  1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1552.003 Bash History 4
T1552.005 Cloud Instance Metadata API 13
T1552.001 Credentials In Files 21
T1552.002 Credentials in Registry 18
T1552.006 Group Policy Preferences 14
T1552.004 Private Keys 24