Esc
Credentials In Files - T1552.001

(ATT&CK® Technique)
Definition

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1552001["Credentials In Files"] --> |accesses| File["File"]; class T1552001 OffensiveTechniqueNode;
        class File ArtifactNode; click File href "/dao/artifact/d3f:File";
        click T1552001 href "/offensive-technique/attack/T1552.001/"; click File href "/dao/artifact/d3f:File";     T1552001["Credentials In Files"] --> |accesses| Credential["Credential"]; class T1552001 OffensiveTechniqueNode;
        class Credential ArtifactNode; click Credential href "/dao/artifact/d3f:Credential";
        click T1552001 href "/offensive-technique/attack/T1552.001/"; click Credential href "/dao/artifact/d3f:Credential";         FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | File["File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1552001["Credentials In Files"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";              FileEviction["File Eviction"] -->
          | deletes | File["File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1552001["Credentials In Files"] ;
          class FileEviction DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";     AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
          | deletes | Credential["Credential"];

          AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
            | may-evict | T1552001["Credentials In Files"] ;
          class AuthenticationCacheInvalidation DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; CredentialRevocation["Credential Revocation"] -->
          | deletes | Credential["Credential"];

          CredentialRevocation["Credential Revocation"] -.->
            | may-evict | T1552001["Credentials In Files"] ;
          class CredentialRevocation DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click CredentialRevocation href "/technique/d3f:CredentialRevocation";          FileEncryption["File Encryption"] -->
          | encrypts | File["File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1552001["Credentials In Files"] ;
          class FileEncryption DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";              CredentialRotation["Credential Rotation"] -->
          | regenerates | Credential["Credential"];

          CredentialRotation["Credential Rotation"] -.->
            | may-harden | T1552001["Credentials In Files"] ;
          class CredentialRotation DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click CredentialRotation href "/technique/d3f:CredentialRotation"; LocalFilePermissions["Local File Permissions"] -->
          | restricts | File["File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1552001["Credentials In Files"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class File ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";      CredentialTransmissionScoping["Credential Transmission Scoping"] -->
          | isolates | Credential["Credential"];

          CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
            | may-isolate | T1552001["Credentials In Files"] ;
          class CredentialTransmissionScoping DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; ReissueCredential["Reissue Credential"] -->
          | restores | Credential["Credential"];

          ReissueCredential["Reissue Credential"] -.->
            | may-restore | T1552001["Credentials In Files"] ;
          class ReissueCredential DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click ReissueCredential href "/technique/d3f:ReissueCredential";         DecoyFile["Decoy File"] -->
          | spoofs | File["File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1552001["Credentials In Files"] ;
          class DecoyFile DefensiveTechniqueNode;
          class File ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";      DecoyUserCredential["Decoy User Credential"] -->
          | spoofs | Credential["Credential"];

          DecoyUserCredential["Decoy User Credential"] -.->
            | may-deceive | T1552001["Credentials In Files"] ;
          class DecoyUserCredential DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
          | analyzes | Credential["Credential"];

          CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
            | may-detect | T1552001["Credentials In Files"] ;
          class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; Multi-factorAuthentication["Multi-factor Authentication"] -->
          | uses | Credential["Credential"];

          Multi-factorAuthentication["Multi-factor Authentication"] -.->
            | may-harden | T1552001["Credentials In Files"] ;
          class Multi-factorAuthentication DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication";         RestoreFile["Restore File"] -->
          | restores | File["File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1552001["Credentials In Files"] ;
          class RestoreFile DefensiveTechniqueNode;
          class File ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile";              FileAnalysis["File Analysis"] -->
          | analyzes | File["File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1552001["Credentials In Files"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";      CredentialHardening["Credential Hardening"] -->
          | hardens | Credential["Credential"];

          CredentialHardening["Credential Hardening"] -.->
            | may-harden | T1552001["Credentials In Files"] ;
          class CredentialHardening DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click CredentialHardening href "/technique/d3f:CredentialHardening";         RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | File["File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1552001["Credentials In Files"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class File ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";
json