MITRE ATT&CK detection coverage

← Back to main site

Home/ MITRE Matrix/ Credential Access/ T1552.004

T1552.004Private Keys

T1552.004 — Private Keys is a MITRE ATT&CK technique in the Credential Access tactic. Clankerusecase tracks 26 detection use cases covering it and 16 threat-intel articles citing it.

Credential Access

View on the matrix → Filter Detection Library MITRE official spec ↗

26Use cases

16Articles

0Sub-techniques

1Tactic

↑ Parent technique: T1552 · Unsecured Credentials

Use cases covering this technique (26)

[WEEKLY] npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules Internal install · alerting DSΣPDD [WEEKLY] Package-install lifecycle script harvests local credentials and beacons to a non-baselined domain Internal install · alerting DSPDD [WEEKLY] Package-manager child process credential fan-out with public egress (Mini Shai-Hulud / TeamPCP worm chain) Internal install · alerting DSPDD Linux Auditd Find Ssh Private Keys ESCU actions · hunting P Linux Auditd Private Keys and Certificate Enumeration ESCU actions · hunting P Windows Export Certificate ESCU actions · hunting P Windows PowerShell Export Certificate ESCU actions · hunting P Windows PowerShell Export PfxCertificate ESCU actions · hunting P Windows Private Keys Discovery ESCU actions · hunting P Linux Auditd Find Private Keys ESCU actions · alerting P [LLM] Non-browser process fan-out reading SSH/npm/Docker/AWS/browser credential stores on Arch host Bespoke actions · hunting DSPDDCS [LLM] Atomic Arch infostealer — bulk reads of SSH/npmrc/Vault/browser-cookie files by non-shell process Bespoke actions · hunting DSPDDCS [LLM] AI coding agent descendant reading developer credentials / env (Agentjacking credential access) Bespoke actions · hunting DSΣPDDCS [LLM] BitLocker tamper attempt via manage-bde or BitLocker PowerShell after WinRE shell access Bespoke actions · alerting DSΣPDDCS [LLM] npm install-time process reads .npmrc, SSH key, or cloud-credential file Bespoke actions · alerting DSPDDCS [LLM] nebula-mesh CVE-2026-47724 — cross-tenant host identity hijack via /hosts/{id}/reenroll → /enroll chain Bespoke install · alerting SPDD [LLM] Claude Code Read tool steered to cloud-credential files on GitHub Actions runner Bespoke exploit · alerting DSΣPDDCS [LLM] Cloud/SSH/npm credential file access by Node or Bun during npm install Bespoke actions · hunting DSPDDCS [LLM] Megalodon harvester: clustered read of ~/.ssh/id_*, ~/.kube/config, ~/.npmrc, ~/.docker/config.json in one session Bespoke actions · hunting DSPDDCS [LLM] VS Code extension host fan-out reads of developer secrets (.ssh, .aws, .npmrc, ~/.claude/settings.json) Bespoke actions · hunting DSPDDCS [LLM] Coder CVE-2026-46354 - Agent token redemption: PKCS#7 POST followed by gitsshkey / external-auth GET Bespoke actions · alerting SPDD [LLM] TeamPCP Linux credential harvest: Python reading /etc/shadow + auth.log + cloud Bespoke actions · hunting DSPDDCS [LLM] AI agent process reads cloud-credential, SSH or dotenv files (skill credential theft) Bespoke actions · hunting DSPDDCS [LLM] Postinstall node child enumerating multiple developer credential stores Bespoke actions · hunting DSPDDCS [LLM] Internal workflows pulling aws-actions/configure-aws-credentials@v4.3.0 during the buggy-release window Bespoke delivery · hunting SPDD [LLM] .NET build (dotnet/MSBuild) spawns git config to harvest user.email Bespoke actions · hunting DSΣPDDCS

Articles citing this technique (16)

crit 400+ AUR Packages Hijacked: What the “Atomic Arch” Campaign Means for Supply-Chain Security art-14

high Over 400 Arch Linux packages compromised to push rootkit, infostealer art-25

high Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code art-28

crit New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files art-42

high npm v12 delivers one of the biggest security improvements in years art-46

crit [GHSA / CRITICAL] CVE-2026-47724: nebula-mesh: API endpoints lack ownership checks, enabling cross-operator privilege escalation art-96

high Securing CI/CD in an agentic world: Claude Code Github action case art-117

crit [GHSA / CRITICAL] GHSA-jpvj-wpmj-h7rv: Supply chain compromise via malicious @cap-js/openapi art-123

high Megalodon: Mass GitHub Actions Secret Exfiltration Across 5,500+ Public Repositories art-215

crit The Wild West of VS Code extensions and how a poisoned extension breached GitHub art-236

crit [GHSA / CRITICAL] CVE-2026-46354: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft art-249

crit How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM art-443

crit Snyk Finds Prompt Injection in 36%, 1467 Malicious Payloads in a ToxicSkills Study of Agent Skills Supply Chain Compromise art-574

high Zero-day Extensive NPM Package Compromise - Shai Hulud Supply Chain Attack art-789

high Suspicious Tag Movement in AWS’s GitHub Action: What Happened and Why It Matters art-814

high .NET developers alert: Moq NuGET package exfiltrates user emails from git art-1399