Esc
Unsecured Credentials - T1552
(ATT&CK® Technique)
Definition
Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1552["Unsecured Credentials"] --> |accesses| Credential["Credential"]; class T1552 OffensiveTechniqueNode;
class Credential ArtifactNode; click Credential href "../../../dao/artifact/d3f:Credential";
click T1552 href "../../../offensive-technique/attack/T1552/"; click Credential href "../../../dao/artifact/d3f:Credential"; T1552["Unsecured Credentials"] --> |accesses| SystemConfigurationDatabase["System Configuration Database"]; class T1552 OffensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode; click SystemConfigurationDatabase href "../../../dao/artifact/d3f:SystemConfigurationDatabase";
click T1552 href "../../../offensive-technique/attack/T1552/"; click SystemConfigurationDatabase href "../../../dao/artifact/d3f:SystemConfigurationDatabase"; T1552["Unsecured Credentials"] --> |accesses| File["File"]; class T1552 OffensiveTechniqueNode;
class File ArtifactNode; click File href "../../../dao/artifact/d3f:File";
click T1552 href "../../../offensive-technique/attack/T1552/"; click File href "../../../dao/artifact/d3f:File"; T1552["Unsecured Credentials"] --> |accesses| PrivateKey["Private Key"]; class T1552 OffensiveTechniqueNode;
class PrivateKey ArtifactNode; click PrivateKey href "../../../dao/artifact/d3f:PrivateKey";
click T1552 href "../../../offensive-technique/attack/T1552/"; click PrivateKey href "../../../dao/artifact/d3f:PrivateKey"; T1552["Unsecured Credentials"] --> |accesses| CloudInstanceMetadata["Cloud Instance Metadata"]; class T1552 OffensiveTechniqueNode;
class CloudInstanceMetadata ArtifactNode; click CloudInstanceMetadata href "../../../dao/artifact/d3f:CloudInstanceMetadata";
click T1552 href "../../../offensive-technique/attack/T1552/"; click CloudInstanceMetadata href "../../../dao/artifact/d3f:CloudInstanceMetadata"; T1552["Unsecured Credentials"] --> |accesses| CommandHistoryLogFile["Command History Log File"]; class T1552 OffensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode; click CommandHistoryLogFile href "../../../dao/artifact/d3f:CommandHistoryLogFile";
click T1552 href "../../../offensive-technique/attack/T1552/"; click CommandHistoryLogFile href "../../../dao/artifact/d3f:CommandHistoryLogFile"; T1552["Unsecured Credentials"] --> |accesses| GroupPolicy["Group Policy"]; class T1552 OffensiveTechniqueNode;
class GroupPolicy ArtifactNode; click GroupPolicy href "../../../dao/artifact/d3f:GroupPolicy";
click T1552 href "../../../offensive-technique/attack/T1552/"; click GroupPolicy href "../../../dao/artifact/d3f:GroupPolicy"; DecoyFile["Decoy File"] -->
| spoofs | CommandHistoryLogFile["Command History Log File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1552["Unsecured Credentials"] ;
class DecoyFile DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click DecoyFile href "../../../technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | File["File"];
class DecoyFile DefensiveTechniqueNode;
class File ArtifactNode;
click DecoyFile href "../../../technique/d3f:DecoyFile"; DecoyUserCredential["Decoy User Credential"] -->
| spoofs | Credential["Credential"];
DecoyUserCredential["Decoy User Credential"] -.->
| may-deceive | T1552["Unsecured Credentials"] ;
class DecoyUserCredential DefensiveTechniqueNode;
class Credential ArtifactNode;
click DecoyUserCredential href "../../../technique/d3f:DecoyUserCredential"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | File["File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1552["Unsecured Credentials"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class File ArtifactNode;
click FileIntegrityMonitoring href "../../../technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | CommandHistoryLogFile["Command History Log File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click FileIntegrityMonitoring href "../../../technique/d3f:FileIntegrityMonitoring"; SystemConfigurationPermissions["System Configuration Permissions"] -->
| restricts | SystemConfigurationDatabase["System Configuration Database"];
SystemConfigurationPermissions["System Configuration Permissions"] -.->
| may-harden | T1552["Unsecured Credentials"] ;
class SystemConfigurationPermissions DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click SystemConfigurationPermissions href "../../../technique/d3f:SystemConfigurationPermissions"; FileEncryption["File Encryption"] -->
| encrypts | File["File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1552["Unsecured Credentials"] ;
class FileEncryption DefensiveTechniqueNode;
class File ArtifactNode;
click FileEncryption href "../../../technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | CommandHistoryLogFile["Command History Log File"];
class FileEncryption DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click FileEncryption href "../../../technique/d3f:FileEncryption"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
| analyzes | Credential["Credential"];
CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
| may-detect | T1552["Unsecured Credentials"] ;
class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialCompromiseScopeAnalysis href "../../../technique/d3f:CredentialCompromiseScopeAnalysis"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| uses | Credential["Credential"];
Multi-factorAuthentication["Multi-factor Authentication"] -.->
| may-harden | T1552["Unsecured Credentials"] ;
class Multi-factorAuthentication DefensiveTechniqueNode;
class Credential ArtifactNode;
click Multi-factorAuthentication href "../../../technique/d3f:Multi-factorAuthentication"; CredentialRevocation["Credential Revocation"] -->
| deletes | Credential["Credential"];
CredentialRevocation["Credential Revocation"] -.->
| may-evict | T1552["Unsecured Credentials"] ;
class CredentialRevocation DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialRevocation href "../../../technique/d3f:CredentialRevocation"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
| deletes | Credential["Credential"];
AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
| may-evict | T1552["Unsecured Credentials"] ;
class AuthenticationCacheInvalidation DefensiveTechniqueNode;
class Credential ArtifactNode;
click AuthenticationCacheInvalidation href "../../../technique/d3f:AuthenticationCacheInvalidation"; FileEviction["File Eviction"] -->
| deletes | CommandHistoryLogFile["Command History Log File"];
FileEviction["File Eviction"] -.->
| may-evict | T1552["Unsecured Credentials"] ;
class FileEviction DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click FileEviction href "../../../technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | File["File"];
class FileEviction DefensiveTechniqueNode;
class File ArtifactNode;
click FileEviction href "../../../technique/d3f:FileEviction"; CredentialRotation["Credential Rotation"] -->
| regenerates | Credential["Credential"];
CredentialRotation["Credential Rotation"] -.->
| may-harden | T1552["Unsecured Credentials"] ;
class CredentialRotation DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialRotation href "../../../technique/d3f:CredentialRotation"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
| isolates | Credential["Credential"];
CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
| may-isolate | T1552["Unsecured Credentials"] ;
class CredentialTransmissionScoping DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialTransmissionScoping href "../../../technique/d3f:CredentialTransmissionScoping"; LocalFilePermissions["Local File Permissions"] -->
| restricts | CommandHistoryLogFile["Command History Log File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1552["Unsecured Credentials"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click LocalFilePermissions href "../../../technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | File["File"];
class LocalFilePermissions DefensiveTechniqueNode;
class File ArtifactNode;
click LocalFilePermissions href "../../../technique/d3f:LocalFilePermissions"; ContentModification["Content Modification"] -->
| modifies | File["File"];
ContentModification["Content Modification"] -.->
| may-isolate | T1552["Unsecured Credentials"] ;
class ContentModification DefensiveTechniqueNode;
class File ArtifactNode;
click ContentModification href "../../../technique/d3f:ContentModification"; ContentModification["Content Modification"] -->
| modifies | CommandHistoryLogFile["Command History Log File"];
class ContentModification DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click ContentModification href "../../../technique/d3f:ContentModification"; ContentQuarantine["Content Quarantine"] -->
| quarantines | File["File"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1552["Unsecured Credentials"] ;
class ContentQuarantine DefensiveTechniqueNode;
class File ArtifactNode;
click ContentQuarantine href "../../../technique/d3f:ContentQuarantine"; ContentQuarantine["Content Quarantine"] -->
| quarantines | CommandHistoryLogFile["Command History Log File"];
class ContentQuarantine DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click ContentQuarantine href "../../../technique/d3f:ContentQuarantine"; RestoreFile["Restore File"] -->
| restores | File["File"];
RestoreFile["Restore File"] -.->
| may-restore | T1552["Unsecured Credentials"] ;
class RestoreFile DefensiveTechniqueNode;
class File ArtifactNode;
click RestoreFile href "../../../technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | CommandHistoryLogFile["Command History Log File"];
class RestoreFile DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click RestoreFile href "../../../technique/d3f:RestoreFile"; RestoreConfiguration["Restore Configuration"] -->
| restores | GroupPolicy["Group Policy"];
RestoreConfiguration["Restore Configuration"] -.->
| may-restore | T1552["Unsecured Credentials"] ;
class RestoreConfiguration DefensiveTechniqueNode;
class GroupPolicy ArtifactNode;
click RestoreConfiguration href "../../../technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] -->
| restores | CloudInstanceMetadata["Cloud Instance Metadata"];
class RestoreConfiguration DefensiveTechniqueNode;
class CloudInstanceMetadata ArtifactNode;
click RestoreConfiguration href "../../../technique/d3f:RestoreConfiguration"; RestoreDatabase["Restore Database"] -->
| restores | SystemConfigurationDatabase["System Configuration Database"];
RestoreDatabase["Restore Database"] -.->
| may-restore | T1552["Unsecured Credentials"] ;
class RestoreDatabase DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click RestoreDatabase href "../../../technique/d3f:RestoreDatabase"; FileAnalysis["File Analysis"] -->
| analyzes | File["File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1552["Unsecured Credentials"] ;
class FileAnalysis DefensiveTechniqueNode;
class File ArtifactNode;
click FileAnalysis href "../../../technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | CommandHistoryLogFile["Command History Log File"];
class FileAnalysis DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click FileAnalysis href "../../../technique/d3f:FileAnalysis"; CredentialHardening["Credential Hardening"] -->
| hardens | Credential["Credential"];
CredentialHardening["Credential Hardening"] -.->
| may-harden | T1552["Unsecured Credentials"] ;
class CredentialHardening DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialHardening href "../../../technique/d3f:CredentialHardening"; ReissueCredential["Reissue Credential"] -->
| restores | Credential["Credential"];
ReissueCredential["Reissue Credential"] -.->
| may-restore | T1552["Unsecured Credentials"] ;
class ReissueCredential DefensiveTechniqueNode;
class Credential ArtifactNode;
click ReissueCredential href "../../../technique/d3f:ReissueCredential"; ContentFiltering["Content Filtering"] -->
| filters | File["File"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1552["Unsecured Credentials"] ;
class ContentFiltering DefensiveTechniqueNode;
class File ArtifactNode;
click ContentFiltering href "../../../technique/d3f:ContentFiltering"; ContentFiltering["Content Filtering"] -->
| filters | CommandHistoryLogFile["Command History Log File"];
class ContentFiltering DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click ContentFiltering href "../../../technique/d3f:ContentFiltering"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | File["File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1552["Unsecured Credentials"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class File ArtifactNode;
click RemoteFileAccessMediation href "../../../technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | CommandHistoryLogFile["Command History Log File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click RemoteFileAccessMediation href "../../../technique/d3f:RemoteFileAccessMediation";