T1552.001: T1552.001
Essential information
- MITRE technique ID
T1552.001- Confidence
- 100/100
- Revoked
- No
- Published
- 04/02/2020 13:52
- Modified
- 27/03/2026 01:10
- Author / Source
- The MITRE Corporation
Aliases
Credentials In Files
Platforms
windows macos linux Containers IaaS
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | credential-access |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (57)
-
PhantomRaven usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DPRK usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials.…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Earth Minotaur usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Sukob usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UNC6240 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Starry Addax usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020)…
First seen 01/01/1970 · Last seen 16/11/5138 · -
ANTONIO EDUARDO FREDERICO relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (74)
-
UnDefend usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BOINC usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
WarzoneRAT usesFamily The MITRE Corporation Confidence 100
[WarzoneRAT](https://attack.mitre.org/software/S0670) is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.(Citation: Check Point Warzone Feb 2020)(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
NetSupport RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
MICROBACKDOOR usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Shai-Hulud 2.0 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Lumma Stealer usesThe MITRE Corporation Confidence 100
[Lumma Stealer](https://attack.mitre.org/software/S1213) is an information stealer malware family in use since at least 2022. [Lumma Stealer](https://attack.mitre.org/software/S1213) is a Malware as a Service (MaaS) where captured data has been…
First seen 01/01/1970 · Last seen 16/11/5138 · -
UltraVNC usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
VBCloud usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
FRPC usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
MetaStealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SANDWORM_MODE usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
AlienVault Confidence 100 19 MITREs 4 Malwares 12 IOCs 12 Observables
-
AlienVault Confidence 100 24 MITREs 2 Malwares 13 IOCs 13 Observables
-
AlienVault Confidence 100 1 CVE 20 MITREs 4 Malwares 145 IOCs 145 Observables
-
AlienVault Confidence 100 19 MITREs 4 Malwares 4 IOCs 4 Observables
-
AlienVault Confidence 100 22 MITREs 2 Malwares 29 IOCs 29 Observables
-
AlienVault Confidence 100 11 MITREs 5 IOCs 5 Observables
-
AlienVault Confidence 100 1 CVE 20 MITREs 17 IOCs 17 Observables 1 APT
-
20 MITREs 2 Malwares 10 Observables 1 APT
-
17 MITREs 1 Malware 10 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 4 IOCs 4 Observables
-
20 MITREs 1 Malware 4 Observables 1 APT
-
AlienVault Confidence 100 19 MITREs 2 Malwares 14 IOCs 14 Observables 1 APT
Vulnerabilities (CVE) (64)
QNAP NAS devices running Photo Station contain an improper access control vulnerability allowing remote attackers to gain unauthorized access to the system.
- Published
- 08/06/2022
- Modified
- 22/04/2026
A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker to gain …
- Attack vector
- Local
- Complexity
- High
- Published
- 25/02/2026
- Modified
- 15/05/2026
Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an …
- Attack vector
- Network
- Published
- 07/11/2023
- Modified
- 21/12/2025
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute …
- Attack vector
- Network
- Published
- 19/05/2025
- Modified
- 21/12/2025
A vulnerability in Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to view sensitive information on an affected system. This …
- Attack vector
- Network
- Complexity
- Low
- Published
- 25/02/2026
- Modified
- 15/05/2026
Veeam Backup & Replication Cloud Connect component contains a missing authentication for critical function vulnerability that allows an unauthenticated user operating within …
- Attack vector
- Network
- Published
- 22/08/2023
- Modified
- 27/05/2026
In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended …
- Published
- 09/10/2025
- Modified
- 10/10/2025
Redis is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
- Published
- 28/03/2022
- Modified
- 21/12/2025
WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 29/04/2026
- Modified
- 11/05/2026
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …
- Attack vector
- Network
- Published
- 25/09/2025
- Modified
- 21/12/2025
Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …
- Attack vector
- Local
- Published
- 03/11/2021
- Modified
- 27/05/2026
marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication …
- Attack vector
- Network
- Complexity
- Low
- Published
- 09/04/2026
- Modified
- 29/04/2026
Tool (3)
-
LaZagne usesThe MITRE Corporation Confidence 100
[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows…
-
AADInternals usesThe MITRE Corporation Confidence 100
[AADInternals](https://attack.mitre.org/software/S0677) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…