Skip to content

T1552 Unsecured Credentials

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).

Item Value
ID T1552
Sub-techniques T1552.001, T1552.002, T1552.003, T1552.004, T1552.005, T1552.006, T1552.007, T1552.008
Tactics TA0006
Platforms Azure AD, Containers, Google Workspace, IaaS, Linux, Network, Office 365, SaaS, Windows, macOS
Version 1.3
Created 04 February 2020
Last Modified 13 April 2023

Procedure Examples

ID Name Description
S0373 Astaroth Astaroth uses an external software known as NetPass to recover passwords. 5

Mitigations

ID Mitigation Description
M1015 Active Directory Configuration Remove vulnerable Group Policy Preferences.1
M1047 Audit Preemptively search for files containing passwords or other credentials and take actions to reduce the exposure risk when found.
M1041 Encrypt Sensitive Information When possible, store keys on separate cryptographic hardware instead of on the local system.
M1037 Filter Network Traffic Limit access to the Instance Metadata API. A properly configured Web Application Firewall (WAF) may help prevent external adversaries from exploiting Server-side Request Forgery (SSRF) attacks that allow access to the Cloud Instance Metadata API.2
M1035 Limit Access to Resource Over Network Limit network access to sensitive services, such as the Instance Metadata API.
M1028 Operating System Configuration There are multiple methods of preventing a user’s command history from being flushed to their .bash_history file, including use of the following commands:
set +o history and set -o history to start logging again;
unset HISTFILE being added to a user’s .bash_rc file; and
ln -s /dev/null ~/.bash_history to write commands to /dev/nullinstead.
M1027 Password Policies Use strong passphrases for private keys to make cracking difficult. Do not store credentials within the Registry. Establish an organizational policy that prohibits password storage in files.
M1026 Privileged Account Management If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary.
M1022 Restrict File and Directory Permissions Restrict file shares to specific directories with access only to necessary users.
M1051 Update Software Apply patch KB2962486 which prevents credentials from being stored in GPPs.34
M1017 User Training Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0017 Command Command Execution
DS0022 File File Access
DS0009 Process Process Creation
DS0002 User Account User Account Authentication
DS0024 Windows Registry Windows Registry Key Access

References

  1. Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved January 28, 2015. 

  2. Higashi, Michael. (2018, May 15). Instance Metadata API: A Modern Day Trojan Horse. Retrieved July 16, 2019. 

  3. Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL & Exploiting Group Policy Preferences. Retrieved February 17, 2020. 

  4. Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved February 17, 2020. 

  5. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. 

  6. Slack Help Center. (n.d.). View Access Logs for your workspace. Retrieved April 10, 2023.