T1552: Unsecured Credentials

Data from MITRE ATT&CK®:

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Active Directory Configuration

Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.

Update Software

Perform regular software updates to mitigate exploitation risk.

Limit Access to Resource Over Network

Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Encrypt Sensitive Information

Protect sensitive information with strong encryption.

Password Policies

Set and enforce secure password policies for accounts.

Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.

Operating System Configuration

Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.

Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

File Access (File)

Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)

Windows Registry Key Access (Windows Registry)

Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656)

Process Creation (Process)

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

Application Log Content (Application Log)

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

User Account Authentication (User Account)

An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)

AWS - Retrieve EC2 Password Data using stratus

linux macos iaas:aws

Added Owner To Application

azure

Azure Key Vault Modified or Deleted

azure

Azure Keyvault Key Modified or Deleted

azure

Potential Okta Password in AlternateID Field

okta

Azure Kubernetes Admission Controller

azure

Azure Keyvault Secrets Modified or Deleted

azure

Application AppID Uri Configuration Changes

azure

Potentially Suspicious EventLog Recon Activity Using Log Query Utilities

windows process creation

Google Cloud Kubernetes Admission Controller

gcp