T1552.001: T1552.001

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1552.001
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Credentials In Files

Platforms

windows macos linux Containers IaaS

Description

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).(Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.(Citation: SRD GPP) In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)

Kill chain phases

Kill chain	Phase
mitre-attack	credential-access

Marking (TLP)

External references

Unit 42 Hildegard Malware
Unit 42 Unsecured Docker Daemons
mitre-attack (T1552.001)
CG 2014
Specter Ops - Cloud Credential Storage
SRD GPP

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (59)

Stone Wolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN13 uses Elephant Beetle

The MITRE Corporation Confidence 100

[FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA551 uses GOLD CABINShathak

The MITRE Corporation Confidence 100

[TA551](https://attack.mitre.org/groups/G0127) is a financially-motivated threat group that has been active since at least 2018. (Citation: Secureworks GOLD CABIN) The group has primarily targeted English, German, Italian, and Japanese…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Linen Typhoon, Violet Typhoon, Storm-2603 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC6148 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Saint Bear uses UNC2589Bleeding Bear

The MITRE Corporation Confidence 100

[Saint Bear](https://attack.mitre.org/groups/G1031) is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Water Saci uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC1151 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Emennet Pasargad uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAT-8616 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Angry Likho uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
hackerbot-claw uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 59

UnDefend uses

Family
BOINC uses

Family
WarzoneRAT uses
NetSupport RAT uses

Family
MICROBACKDOOR uses
Shai-Hulud 2.0 uses

Family
Lumma Stealer uses

Family
UltraVNC uses

Family
VBCloud uses

Family
FRPC uses

Family
MetaStealer uses

Family
SANDWORM_MODE uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 9

1–12 of 103

Customer CRM Data Accessed in Supply Chain Incident related

AlienVault Confidence 100 20 MITREs 3 IOCs 3 Observables
Inside the FortiBleed Open Directory: A Technical Analysis … related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables
Operation Poisson – Analyzing a Cybercriminal’s Entire Operation related

AlienVault Confidence 100 20 MITREs 2 Malwares 13 IOCs 6 Observables 1 APT
Threat Actors Abuse claude.ai Shared Chat for ClickFix … related

AlienVault Confidence 100 19 MITREs 1 Malware 21 IOCs 21 Observables
Targets Education Sector with Oracle PeopleSoft Exploit related

AlienVault Confidence 100 1 CVE 20 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics … related

AlienVault Confidence 100 19 MITREs 3 Malwares 2 IOCs 2 Observables
Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets … related

20 MITREs 4 Malwares 18 Observables 1 APT
Preinstall to persistence: Inside the npm Miasma credential-stealing … related

AlienVault Confidence 100 20 MITREs 6 IOCs 6 Observables
Impersonation, Click Hijacking, and TDS: Inside a Malware … related

AlienVault Confidence 100 20 MITREs 3 Malwares 64 IOCs 64 Observables
Espionage Campaign Targeted Stock Exchange Executive for Five … related

20 MITREs 4 Malwares 20 Observables
Malicious npm packages abuse dependency confusion to profile … related

20 MITREs 7 Observables
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (57)

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2026-20182 KEV targets

10.0 Critical

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was …

Attack vector: NETWORK
Complexity: LOW
Published: 14/05/2026
Modified: 18/06/2026

CWE-287 Analyzed

CVE-2025-49706 KEV targets

6.5 Medium

Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow …

Attack vector: Network
Published: 22/07/2025
Modified: 21/12/2025

CVE-2025-11953 KEV targets

9.8 Critical

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes …

Attack vector: NETWORK
Published: 03/11/2025
Modified: 07/02/2026

Awaiting Analysis

CVE-2025-49704 KEV targets

8.8 High

Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could …

Attack vector: Network
Published: 22/07/2025
Modified: 21/12/2025

CVE-2017-5638 targets

CVE-2024-3721 targets

6.3 Medium

A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing …

Attack vector: NETWORK
Published: 13/04/2024
Modified: 21/12/2025

CVE-2021-4034 KEV targets

The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.

Published: 27/06/2022
Modified: 20/12/2025

CVE-2026-33825 KEV targets

7.8 High

Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally.

Attack vector: LOCAL
Complexity: LOW
Published: 14/04/2026
Modified: 29/04/2026

CWE-1220 Received

CVE-2018-6065 KEV targets

Google Chromium V8 Engine contains an integer overflow vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted …

Published: 08/06/2022
Modified: 21/12/2025

CVE-2023-22527 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contain an unauthenticated OGNL template injection vulnerability that can lead to remote code execution.

Attack vector: Network
Published: 24/01/2024
Modified: 21/12/2025

CVE-2026-31431 KEV targets

7.8 High

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 …

Attack vector: LOCAL
Complexity: LOW
EPSS: 0.0001 (P0.6%)
Published: 22/04/2026
Modified: 23/05/2026

CWE-669 Awaiting Analysis

← Previous

Page / 5

1–12 of 57

T1552 subtechnique-of

Unsecured Credentials MITRE

Tool (3)

LaZagne uses

The MITRE Corporation Confidence 100

[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows…
AADInternals uses

The MITRE Corporation Confidence 100

[AADInternals](https://attack.mitre.org/software/S0677) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)
Empire uses

The MITRE Corporation Confidence 100

[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…

Course Of Action (1)

Audit mitigates

Campaign (1)

Leviathan Australian Intrusions uses

Contact About Legal notice Privacy policy Terms of use