Esc
Unsecured Credentials - T1552
(ATT&CK® Technique)
Definition
Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1552["Unsecured Credentials"] --> |accesses| Credential["Credential"]; class T1552 OffensiveTechniqueNode;
class Credential ArtifactNode; click Credential href "/dao/artifact/d3f:Credential";
click T1552 href "/offensive-technique/attack/T1552/"; click Credential href "/dao/artifact/d3f:Credential"; T1552["Unsecured Credentials"] --> |accesses| SystemConfigurationDatabase["System Configuration Database"]; class T1552 OffensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase";
click T1552 href "/offensive-technique/attack/T1552/"; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase"; T1552["Unsecured Credentials"] --> |accesses| File["File"]; class T1552 OffensiveTechniqueNode;
class File ArtifactNode; click File href "/dao/artifact/d3f:File";
click T1552 href "/offensive-technique/attack/T1552/"; click File href "/dao/artifact/d3f:File"; T1552["Unsecured Credentials"] --> |accesses| PrivateKey["Private Key"]; class T1552 OffensiveTechniqueNode;
class PrivateKey ArtifactNode; click PrivateKey href "/dao/artifact/d3f:PrivateKey";
click T1552 href "/offensive-technique/attack/T1552/"; click PrivateKey href "/dao/artifact/d3f:PrivateKey"; T1552["Unsecured Credentials"] --> |accesses| CloudInstanceMetadata["Cloud Instance Metadata"]; class T1552 OffensiveTechniqueNode;
class CloudInstanceMetadata ArtifactNode; click CloudInstanceMetadata href "/dao/artifact/d3f:CloudInstanceMetadata";
click T1552 href "/offensive-technique/attack/T1552/"; click CloudInstanceMetadata href "/dao/artifact/d3f:CloudInstanceMetadata"; T1552["Unsecured Credentials"] --> |accesses| CommandHistoryLogFile["Command History Log File"]; class T1552 OffensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode; click CommandHistoryLogFile href "/dao/artifact/d3f:CommandHistoryLogFile";
click T1552 href "/offensive-technique/attack/T1552/"; click CommandHistoryLogFile href "/dao/artifact/d3f:CommandHistoryLogFile"; T1552["Unsecured Credentials"] --> |accesses| GroupPolicy["Group Policy"]; class T1552 OffensiveTechniqueNode;
class GroupPolicy ArtifactNode; click GroupPolicy href "/dao/artifact/d3f:GroupPolicy";
click T1552 href "/offensive-technique/attack/T1552/"; click GroupPolicy href "/dao/artifact/d3f:GroupPolicy"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
| analyzes | Credential["Credential"];
CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
| may-detect | T1552["Unsecured Credentials"] ;
class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | CommandHistoryLogFile["Command History Log File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1552["Unsecured Credentials"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | File["File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class File ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; DecoyFile["Decoy File"] -->
| spoofs | CommandHistoryLogFile["Command History Log File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1552["Unsecured Credentials"] ;
class DecoyFile DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | File["File"];
class DecoyFile DefensiveTechniqueNode;
class File ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyUserCredential["Decoy User Credential"] -->
| spoofs | Credential["Credential"];
DecoyUserCredential["Decoy User Credential"] -.->
| may-deceive | T1552["Unsecured Credentials"] ;
class DecoyUserCredential DefensiveTechniqueNode;
class Credential ArtifactNode;
click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
| deletes | Credential["Credential"];
AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
| may-evict | T1552["Unsecured Credentials"] ;
class AuthenticationCacheInvalidation DefensiveTechniqueNode;
class Credential ArtifactNode;
click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; CredentialRevocation["Credential Revocation"] -->
| deletes | Credential["Credential"];
CredentialRevocation["Credential Revocation"] -.->
| may-evict | T1552["Unsecured Credentials"] ;
class CredentialRevocation DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialRevocation href "/technique/d3f:CredentialRevocation"; FileEviction["File Eviction"] -->
| deletes | File["File"];
FileEviction["File Eviction"] -.->
| may-evict | T1552["Unsecured Credentials"] ;
class FileEviction DefensiveTechniqueNode;
class File ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | CommandHistoryLogFile["Command History Log File"];
class FileEviction DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; CredentialRotation["Credential Rotation"] -->
| regenerates | Credential["Credential"];
CredentialRotation["Credential Rotation"] -.->
| may-harden | T1552["Unsecured Credentials"] ;
class CredentialRotation DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialRotation href "/technique/d3f:CredentialRotation"; FileEncryption["File Encryption"] -->
| encrypts | File["File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1552["Unsecured Credentials"] ;
class FileEncryption DefensiveTechniqueNode;
class File ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; SystemConfigurationPermissions["System Configuration Permissions"] -->
| restricts | SystemConfigurationDatabase["System Configuration Database"];
SystemConfigurationPermissions["System Configuration Permissions"] -.->
| may-harden | T1552["Unsecured Credentials"] ;
class SystemConfigurationPermissions DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click SystemConfigurationPermissions href "/technique/d3f:SystemConfigurationPermissions"; FileEncryption["File Encryption"] -->
| encrypts | CommandHistoryLogFile["Command History Log File"];
class FileEncryption DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| uses | Credential["Credential"];
Multi-factorAuthentication["Multi-factor Authentication"] -.->
| may-harden | T1552["Unsecured Credentials"] ;
class Multi-factorAuthentication DefensiveTechniqueNode;
class Credential ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; LocalFilePermissions["Local File Permissions"] -->
| restricts | File["File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1552["Unsecured Credentials"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class File ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | CommandHistoryLogFile["Command History Log File"];
class LocalFilePermissions DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
| isolates | Credential["Credential"];
CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
| may-isolate | T1552["Unsecured Credentials"] ;
class CredentialTransmissionScoping DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; RestoreFile["Restore File"] -->
| restores | File["File"];
RestoreFile["Restore File"] -.->
| may-restore | T1552["Unsecured Credentials"] ;
class RestoreFile DefensiveTechniqueNode;
class File ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreConfiguration["Restore Configuration"] -->
| restores | CloudInstanceMetadata["Cloud Instance Metadata"];
RestoreConfiguration["Restore Configuration"] -.->
| may-restore | T1552["Unsecured Credentials"] ;
class RestoreConfiguration DefensiveTechniqueNode;
class CloudInstanceMetadata ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] -->
| restores | GroupPolicy["Group Policy"];
class RestoreConfiguration DefensiveTechniqueNode;
class GroupPolicy ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreFile["Restore File"] -->
| restores | CommandHistoryLogFile["Command History Log File"];
class RestoreFile DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreDatabase["Restore Database"] -->
| restores | SystemConfigurationDatabase["System Configuration Database"];
RestoreDatabase["Restore Database"] -.->
| may-restore | T1552["Unsecured Credentials"] ;
class RestoreDatabase DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; FileAnalysis["File Analysis"] -->
| analyzes | File["File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1552["Unsecured Credentials"] ;
class FileAnalysis DefensiveTechniqueNode;
class File ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | CommandHistoryLogFile["Command History Log File"];
class FileAnalysis DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; CredentialHardening["Credential Hardening"] -->
| hardens | Credential["Credential"];
CredentialHardening["Credential Hardening"] -.->
| may-harden | T1552["Unsecured Credentials"] ;
class CredentialHardening DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialHardening href "/technique/d3f:CredentialHardening"; ReissueCredential["Reissue Credential"] -->
| restores | Credential["Credential"];
ReissueCredential["Reissue Credential"] -.->
| may-restore | T1552["Unsecured Credentials"] ;
class ReissueCredential DefensiveTechniqueNode;
class Credential ArtifactNode;
click ReissueCredential href "/technique/d3f:ReissueCredential"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | File["File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1552["Unsecured Credentials"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class File ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | CommandHistoryLogFile["Command History Log File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";