T1552 Unsecured Credentials
Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Shell History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).1
| Item | Value |
|---|---|
| ID | T1552 |
| Sub-techniques | T1552.001, T1552.002, T1552.003, T1552.004, T1552.005, T1552.006, T1552.007, T1552.008 |
| Tactics | TA0006 |
| Platforms | Containers, IaaS, Identity Provider, Linux, Network Devices, Office Suite, SaaS, Windows, macOS |
| Version | 1.5 |
| Created | 04 February 2020 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0373 | Astaroth | Astaroth uses an external software known as NetPass to recover passwords. 9 |
| S1111 | DarkGate | DarkGate uses NirSoft tools to steal user credentials from the infected machine.8 NirSoft tools are executed via process hollowing in a newly-created instance of vbc.exe or regasm.exe. |
| C0049 | Leviathan Australian Intrusions | Leviathan gathered credentials hardcoded in binaries located on victim devices during Leviathan Australian Intrusions.11 |
| S1131 | NPPSPY | NPPSPY captures credentials by recording them through an alternative network listener registered to the mpnotify.exe process, allowing for cleartext recording of logon information.7 |
| S1091 | Pacu | Pacu can search for sensitive data: for example, in Code Build environment variables, EC2 user data, and Cloud Formation templates.6 |
| G1017 | Volt Typhoon | |
| Volt Typhoon has obtained credentials insecurely stored on targeted network appliances.10 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1015 | Active Directory Configuration | Remove vulnerable Group Policy Preferences.4 |
| M1047 | Audit | Preemptively search for files containing passwords or other credentials and take actions to reduce the exposure risk when found. |
| M1041 | Encrypt Sensitive Information | When possible, store keys on separate cryptographic hardware instead of on the local system. |
| M1037 | Filter Network Traffic | Limit access to the Instance Metadata API. A properly configured Web Application Firewall (WAF) may help prevent external adversaries from exploiting Server-side Request Forgery (SSRF) attacks that allow access to the Cloud Instance Metadata API.5 |
| M1035 | Limit Access to Resource Over Network | Limit network access to sensitive services, such as the Instance Metadata API. |
| M1028 | Operating System Configuration | There are multiple methods of preventing a user’s command history from being flushed to their .bash_history file, including use of the following commands: |
set +o history and set -o history to start logging again; |
||
unset HISTFILE being added to a user’s .bash_rc file; and |
||
ln -s /dev/null ~/.bash_history to write commands to /dev/nullinstead. |
||
| M1027 | Password Policies | Use strong passphrases for private keys to make cracking difficult. Do not store credentials within the Registry. Establish an organizational policy that prohibits password storage in files. |
| M1026 | Privileged Account Management | If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary. |
| M1022 | Restrict File and Directory Permissions | Restrict file shares to specific directories with access only to necessary users. |
| M1051 | Update Software | Apply patch KB2962486 which prevents credentials from being stored in GPPs.23 |
| M1017 | User Training | Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. |
References
-
Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing Mimikatz et al to UNIX. Retrieved October 13, 2021. ↩
-
Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL & Exploiting Group Policy Preferences. Retrieved February 17, 2020. ↩
-
Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved February 17, 2020. ↩
-
Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved January 28, 2015. ↩
-
Higashi, Michael. (2018, May 15). Instance Metadata API: A Modern Day Trojan Horse. Retrieved July 16, 2019. ↩
-
Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019. ↩
-
Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved May 17, 2024. ↩
-
Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024. ↩
-
Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. ↩
-
CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. ↩
-
CISA et al. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved February 3, 2025. ↩