Applied Cybernetics Group
T1552 — Unsecured Credentials
- Technique
T1552- Tactics
- Credential Access
- MISP citations
- 0
- KEV CVEs mapped
- 4
- Community rules
- 13
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1552
MITRE description
Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).(Citation: Brining MimiKatz to Unix)
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
Detection coverage
SigmaHQ community rules
- EventLog Query Requests By Builtin Utilities (threat-hunting)
- Kubernetes Admission Controller Modification (core)
- Azure Keyvault Key Modified or Deleted (core)
- Azure Key Vault Modified or Deleted (core)
- Azure Keyvault Secrets Modified or Deleted (core)
- Azure Kubernetes Admission Controller (core)
- Application AppID Uri Configuration Changes (core)
- Added Owner To Application (core)
- Google Cloud Kubernetes Admission Controller (core)
- Potential Okta Password in AlternateID Field (core)
- Script Interpreter Spawning Credential Scanner - Linux (core)
- Potentially Suspicious EventLog Recon Activity Using Log Query Utilities (core)
- Script Interpreter Spawning Credential Scanner - Windows (core)