1. Home
  2. ATT&CK Techniques
  3. T1552 Unsecured Credentials

T1552 Unsecured Credentials Mappings

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-16 Security and Privacy Attributes Protects T1552 Unsecured Credentials
AC-17 Remote Access Protects T1552 Unsecured Credentials
AC-18 Wireless Access Protects T1552 Unsecured Credentials
AC-19 Access Control for Mobile Devices Protects T1552 Unsecured Credentials
AC-2 Account Management Protects T1552 Unsecured Credentials
AC-20 Use of External Systems Protects T1552 Unsecured Credentials
AC-3 Access Enforcement Protects T1552 Unsecured Credentials
AC-4 Information Flow Enforcement Protects T1552 Unsecured Credentials
AC-5 Separation of Duties Protects T1552 Unsecured Credentials
AC-6 Least Privilege Protects T1552 Unsecured Credentials
CA-7 Continuous Monitoring Protects T1552 Unsecured Credentials
CA-8 Penetration Testing Protects T1552 Unsecured Credentials
CM-2 Baseline Configuration Protects T1552 Unsecured Credentials
CM-5 Access Restrictions for Change Protects T1552 Unsecured Credentials
CM-6 Configuration Settings Protects T1552 Unsecured Credentials
CM-7 Least Functionality Protects T1552 Unsecured Credentials
IA-2 Identification and Authentication (organizational Users) Protects T1552 Unsecured Credentials
IA-3 Device Identification and Authentication Protects T1552 Unsecured Credentials
IA-4 Identifier Management Protects T1552 Unsecured Credentials
IA-5 Authenticator Management Protects T1552 Unsecured Credentials
RA-5 Vulnerability Monitoring and Scanning Protects T1552 Unsecured Credentials
SA-11 Developer Testing and Evaluation Protects T1552 Unsecured Credentials
SA-15 Development Process, Standards, and Tools Protects T1552 Unsecured Credentials
SC-12 Cryptographic Key Establishment and Management Protects T1552 Unsecured Credentials
SC-28 Protection of Information at Rest Protects T1552 Unsecured Credentials
SC-4 Information in Shared System Resources Protects T1552 Unsecured Credentials
SC-7 Boundary Protection Protects T1552 Unsecured Credentials
SI-10 Information Input Validation Protects T1552 Unsecured Credentials
SI-12 Information Management and Retention Protects T1552 Unsecured Credentials
SI-15 Information Output Filtering Protects T1552 Unsecured Credentials
SI-2 Flaw Remediation Protects T1552 Unsecured Credentials
SI-4 System Monitoring Protects T1552 Unsecured Credentials
SI-7 Software, Firmware, and Information Integrity Protects T1552 Unsecured Credentials
CVE-2019-3787 UAA Release (OSS) primary_impact T1552 Unsecured Credentials
CVE-2018-15797 NFS Volume Release exploitation_technique T1552 Unsecured Credentials
CVE-2018-11088 Application Service primary_impact T1552 Unsecured Credentials
CVE-2019-3763 RSA Identity Governance and Lifecycle primary_impact T1552 Unsecured Credentials
CVE-2020-15105 django-two-factor-auth primary_impact T1552 Unsecured Credentials
CVE-2020-12008 Baxter ExactaMix EM 2400 & EM 1200 primary_impact T1552 Unsecured Credentials
CVE-2018-17900 STARDOM Controllers FCJ,FCN-100,FCN-RTU, FCN-500 primary_impact T1552 Unsecured Credentials
CVE-2019-6549 PR100088 Modbus gateway primary_impact T1552 Unsecured Credentials
CVE-2015-0984 n/a uncategorized T1552 Unsecured Credentials
CVE-2018-11749 Puppet Enterprise uncategorized T1552 Unsecured Credentials
CVE-2015-8562 n/a uncategorized T1552 Unsecured Credentials
CVE-2014-0751 n/a uncategorized T1552 Unsecured Credentials
CVE-2020-4408 Qradar Advisor uncategorized T1552 Unsecured Credentials
CVE-2019-13922 SINEMA Remote Connect Server uncategorized T1552 Unsecured Credentials
CVE-2018-7259 n/a uncategorized T1552 Unsecured Credentials
CVE-2018-18641 n/a uncategorized T1552 Unsecured Credentials
CVE-2017-14487 n/a uncategorized T1552 Unsecured Credentials
aws_config AWS Config technique_scores T1552 Unsecured Credentials
Comments
The following AWS Config managed rules can identify insecure plaintext credentials within specific parts of a cloud environment: "codebuild-project-envvar-awscred-check" for credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) stored within environment variables, "codebuild-project-source-repo-url-check" for personal access tokens and/or credentials within source repository URLs. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that the contents of secrets in AWS Secrets Manager (including credentials) are properly secured to avoid adversary access: "secretsmanager-rotation-enabled-check", "secretsmanager-scheduled-rotation-success-check", "secretsmanager-secret-periodic-rotation", and "secretsmanager-using-cmk". This control provides partial coverage for a minority of this technique's sub-techniques, in addition to the parent coverage above, resulting in an overall score of Partial.
References
  1. https://docs.aws.amazon.com/config
  2. https://docs.aws.amazon.com/config/latest/developerguide
  3. https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
amazon_guardduty Amazon GuardDuty technique_scores T1552 Unsecured Credentials
Comments
This control provides minimal to partial coverage for a minority of this technique's sub-techniques, and without specific coverage for its procedures, resulting in an overall score of Minimal.
References
  1. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan
  2. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html
aws_iot_device_defender AWS IoT Device Defender technique_scores T1552 Unsecured Credentials
Comments
This control provides partial coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal.
References
  1. https://aws.amazon.com/iot-device-defender/
  2. https://docs.aws.amazon.com/iot-device-defender
  3. https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions
  4. https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases
  5. https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics
  6. https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics
  7. https://docs.aws.amazon.com/iot/latest/developerguide/device-defender
  8. https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit
  9. https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect
aws_key_management_service AWS Key Management Service technique_scores T1552 Unsecured Credentials
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
  1. https://aws.amazon.com/kms/
  2. https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
aws_secrets_manager AWS Secrets Manager technique_scores T1552 Unsecured Credentials
Comments
This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.
References
  1. https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
  2. https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html
aws_cloudhsm AWS CloudHSM technique_scores T1552 Unsecured Credentials
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
  1. https://aws.amazon.com/cloudhsm/
  2. https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html
  3. https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1552.003 Bash History 5
T1552.005 Cloud Instance Metadata API 16
T1552.007 Container API 15
T1552.001 Credentials In Files 31
T1552.002 Credentials in Registry 20
T1552.006 Group Policy Preferences 14
T1552.004 Private Keys 28