Skip to content

DET0307 Detect Access to Unsecured Credential Files Across Platforms

Item Value
ID DET0307
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1552.001 (Credentials In Files)

Analytics

Windows

AN0856

Correlated file access to insecure credential files (e.g., .env, .xml, *.ps1) followed by suspicious process execution or authentication using retrieved credentials. Detected through Sysmon logs and Windows Security Event logs.

Log Sources
Data Component Name Channel
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Logon Session Creation (DC0067) WinEventLog:Security EventCode=4624, 4648
Mutable Elements
Field Description
FileNamePattern Patterns like .env, credential* can be tuned to reduce noise or catch custom implementations
ProcessAccessScope Defines scope of access (e.g., only untrusted parent processes or high-risk processes)
TimeWindow Time delta between credential file access and use in logon attempt

Linux

AN0857

File reads or process executions involving insecurely stored credential files (e.g., config files with password fields) by non-root or anomalous users followed by ssh authentication attempts.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL open/read of sensitive config or secret files
Command Execution (DC0064) auditd:EXECVE grep/cat/awk on files with password fields
Logon Session Creation (DC0067) linux:syslog authentication success after file access
Mutable Elements
Field Description
RegexPatterns Patterns like password, secret, token can be expanded or customized
UserContextScope Scope of users monitored (e.g., root vs all users)
TimeWindow Time between suspicious file access and credential use

macOS

AN0858

Terminal-based grep or open of plist/config files containing credentials, correlated with Keychain or system login attempts.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog grep/cat on files matching credential patterns
File Access (DC0055) macos:unifiedlog open/read of *.plist or .env files
Logon Session Creation (DC0067) macos:unifiedlog Keychain or user login post-access
Mutable Elements
Field Description
KeychainToolAccess Monitor unexpected use of security CLI or Keychain helper binaries
FileTypeList Add or remove watched file types based on system usage

Containers

AN0859

Container processes accessing mounted secrets or configuration paths (e.g., /run/secrets, /mnt/config) followed by network access or credential use.

Log Sources
Data Component Name Channel
File Access (DC0055) ebpf:syscalls open/read on secret mount paths
Command Execution (DC0064) kubernetes:audit process execution involving curl, grep, or awk on secrets
Network Connection Creation (DC0082) cni:netflow outbound connection to internal or external APIs
Mutable Elements
Field Description
SecretMountPaths Customize based on deployment structure (e.g., /mnt/, /run/secrets/)
ProcessBaselineDeviation Tune anomaly scoring for container image deviations

IaaS

AN0860

Access to local credential/config files (e.g., ~/.aws/credentials) followed by metadata API calls or cloud role assumptions.

Log Sources
Data Component Name Channel
File Access (DC0055) CloudTrail:GetObject sensitive credential files in buckets or local image storage
Command Execution (DC0064) AWS:CloudTrail command-line execution invoking credential enumeration
Logon Session Creation (DC0067) AWS:CloudTrail sudden role assumption after credential file access
Mutable Elements
Field Description
CredentialFilePattern Regex to match common credential files (e.g., *.aws/credentials, token.txt)
RoleAssumptionScope Adjust scope of roles monitored (e.g., admin, service accounts)
TimeWindow Correlation timing between file access and AssumeRole