T1552.001: Credentials In Files

Data from MITRE ATT&CK®:

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

It is possible to extract passwords from backups or saved virtual machines through OS Credential Dumping. (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)

In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Password Policies

Set and enforce secure password policies for accounts.

User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

File Access (File)

Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

Process Creation (Process)

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

Extract Browser and System credentials with LaZagne

macos

Extracting passwords with findstr

windows

Find and Access Github Credentials

linux macos

WinPwn - Snaffler

windows

WinPwn - SessionGopher

windows

Access unattend.xml

windows

WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials

windows

Find AWS credentials

macos linux

WinPwn - powershellsensitive

windows

Extract passwords with grep

linux macos

WinPwn - passhunt

windows

WinPwn - sensitivefiles

windows

Suspicious Unattend.xml File Access

windows file event

Azure Keyvault Secrets Modified or Deleted

azure

Linux Recon Indicators

linux process creation

Typical HiveNightmare SAM File Export

windows file event

Suspicious Active Directory Database Snapshot Via ADExplorer

windows process creation

Insensitive Subfolder Search Via Findstr.EXE

windows process creation

Automated Collection Command Prompt

windows process creation

Cisco Collect Data

cisco

Active Directory Database Snapshot Via ADExplorer

windows process creation

Extracting Information with PowerShell

windows ps script

HackTool - WinPwn Execution - ScriptBlock

windows ps script

HackTool - WinPwn Execution

windows process creation

Azure Keyvault Key Modified or Deleted

azure

Azure Key Vault Modified or Deleted

azure

Copy Passwd Or Shadow From TMP Path

linux process creation

Credentials In Files

macos process creation

Credentials In Files - Linux

linux

Remote File Download Via Findstr.EXE

windows process creation