1. Home
  2. ATT&CK Techniques
  3. T1552 Unsecured Credentials

T1552 Unsecured Credentials Mappings

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-16 Security and Privacy Attributes Protects T1552 Unsecured Credentials
AC-17 Remote Access Protects T1552 Unsecured Credentials
AC-18 Wireless Access Protects T1552 Unsecured Credentials
AC-19 Access Control for Mobile Devices Protects T1552 Unsecured Credentials
AC-2 Account Management Protects T1552 Unsecured Credentials
AC-20 Use of External Systems Protects T1552 Unsecured Credentials
AC-3 Access Enforcement Protects T1552 Unsecured Credentials
AC-4 Information Flow Enforcement Protects T1552 Unsecured Credentials
AC-5 Separation of Duties Protects T1552 Unsecured Credentials
AC-6 Least Privilege Protects T1552 Unsecured Credentials
CA-7 Continuous Monitoring Protects T1552 Unsecured Credentials
CA-8 Penetration Testing Protects T1552 Unsecured Credentials
CM-2 Baseline Configuration Protects T1552 Unsecured Credentials
CM-5 Access Restrictions for Change Protects T1552 Unsecured Credentials
CM-6 Configuration Settings Protects T1552 Unsecured Credentials
CM-7 Least Functionality Protects T1552 Unsecured Credentials
IA-2 Identification and Authentication (organizational Users) Protects T1552 Unsecured Credentials
IA-3 Device Identification and Authentication Protects T1552 Unsecured Credentials
IA-4 Identifier Management Protects T1552 Unsecured Credentials
IA-5 Authenticator Management Protects T1552 Unsecured Credentials
RA-5 Vulnerability Monitoring and Scanning Protects T1552 Unsecured Credentials
SA-11 Developer Testing and Evaluation Protects T1552 Unsecured Credentials
SA-15 Development Process, Standards, and Tools Protects T1552 Unsecured Credentials
SC-12 Cryptographic Key Establishment and Management Protects T1552 Unsecured Credentials
SC-28 Protection of Information at Rest Protects T1552 Unsecured Credentials
SC-4 Information in Shared System Resources Protects T1552 Unsecured Credentials
SC-7 Boundary Protection Protects T1552 Unsecured Credentials
SI-10 Information Input Validation Protects T1552 Unsecured Credentials
SI-12 Information Management and Retention Protects T1552 Unsecured Credentials
SI-15 Information Output Filtering Protects T1552 Unsecured Credentials
SI-2 Flaw Remediation Protects T1552 Unsecured Credentials
SI-4 System Monitoring Protects T1552 Unsecured Credentials
SI-7 Software, Firmware, and Information Integrity Protects T1552 Unsecured Credentials

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
aws_config AWS Config technique_scores T1552 Unsecured Credentials
Comments
The following AWS Config managed rules can identify insecure plaintext credentials within specific parts of a cloud environment: "codebuild-project-envvar-awscred-check" for credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) stored within environment variables, "codebuild-project-source-repo-url-check" for personal access tokens and/or credentials within source repository URLs. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that the contents of secrets in AWS Secrets Manager (including credentials) are properly secured to avoid adversary access: "secretsmanager-rotation-enabled-check", "secretsmanager-scheduled-rotation-success-check", "secretsmanager-secret-periodic-rotation", and "secretsmanager-using-cmk". This control provides partial coverage for a minority of this technique's sub-techniques, in addition to the parent coverage above, resulting in an overall score of Partial.
References
  1. https://docs.aws.amazon.com/config
  2. https://docs.aws.amazon.com/config/latest/developerguide
  3. https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
amazon_guardduty Amazon GuardDuty technique_scores T1552 Unsecured Credentials
Comments
This control provides minimal to partial coverage for a minority of this technique's sub-techniques, and without specific coverage for its procedures, resulting in an overall score of Minimal.
References
  1. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan
  2. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html
aws_iot_device_defender AWS IoT Device Defender technique_scores T1552 Unsecured Credentials
Comments
This control provides partial coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal.
References
  1. https://aws.amazon.com/iot-device-defender/
  2. https://docs.aws.amazon.com/iot-device-defender
  3. https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions
  4. https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases
  5. https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics
  6. https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics
  7. https://docs.aws.amazon.com/iot/latest/developerguide/device-defender
  8. https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit
  9. https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect
aws_key_management_service AWS Key Management Service technique_scores T1552 Unsecured Credentials
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
  1. https://aws.amazon.com/kms/
  2. https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
aws_secrets_manager AWS Secrets Manager technique_scores T1552 Unsecured Credentials
Comments
This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.
References
  1. https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
  2. https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html
aws_cloudhsm AWS CloudHSM technique_scores T1552 Unsecured Credentials
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
  1. https://aws.amazon.com/cloudhsm/
  2. https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html
  3. https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1552.003 Bash History 5
T1552.005 Cloud Instance Metadata API 16
T1552.007 Container API 15
T1552.001 Credentials In Files 24
T1552.002 Credentials in Registry 20
T1552.006 Group Policy Preferences 14
T1552.004 Private Keys 27