Home/ MITRE Matrix/ Credential Access/ T1552

T1552Unsecured Credentials

T1552 — Unsecured Credentials is a MITRE ATT&CK technique in the Credential Access tactic. Clankerusecase tracks 12 detection use cases covering it and 1 threat-intel article citing it.

Credential Access

View on the matrix → Filter Detection Library MITRE official spec ↗

12Use cases

1Articles

8Sub-techniques

1Tactic

Sub-techniques (8)

T1552.008 · Chat Messages T1552.005 · Cloud Instance Metadata API T1552.007 · Container API T1552.001 · Credentials In Files T1552.002 · Credentials in Registry T1552.006 · Group Policy Preferences T1552.004 · Private Keys T1552.003 · Shell History

Use cases covering this technique (12)

GCP service-account key created Internal actions · alerting DD GitHub personal access token created Internal actions · alerting DD GitHub personal access token cloning many repositories Internal actions · alerting DD Detect AWS Console Login by New User ESCU actions · hunting P O365 Email Suspicious Search Behavior ESCU actions · hunting P O365 SharePoint Suspicious Search Behavior ESCU actions · hunting P Windows LAPS Password Gathering Via PowerShell Script ESCU actions · hunting P Windows Post Exploitation Risk Behavior ESCU actions · alerting P Windows Unsecured Outlook Credentials Access In Registry ESCU actions · hunting P Cisco SNMP Community String Configuration Changes ESCU actions · hunting P Windows SharePoint Spinstall0 GET Request ESCU actions · alerting P [LLM] npm lifecycle script harvests secrets via TruffleHog or chains to GitHub API Bespoke actions · alerting DSΣPDDCS

Articles citing this technique (1)

high npm v12 delivers one of the biggest security improvements in years art-46