T1552.001: T1552.001
Essential information
- MITRE technique ID
T1552.001- Confidence
- 100/100
- Revoked
- No
- Published
- 04/02/2020 13:52
- Modified
- 27/03/2026 01:10
- Author / Source
- The MITRE Corporation
Aliases
Credentials In Files
Platforms
windows macos linux Containers IaaS
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | credential-access |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (57)
-
Hive0145 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Inception](https://attack.mitre.org/groups/G0100) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Ink Dragon relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Koske relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Larva-24010 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Leafminer](https://attack.mitre.org/groups/G0077) is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. (Citation: Symantec Leafminer July 2018)
First seen 01/01/1970 · Last seen 16/11/5138 · -
LockBit relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Lunar Spider relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
MioLab relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mr_Rot13 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Muddled Libra relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (74)
-
Strela Stealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
systemupdate.app usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TeamsClutch usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Atomic Stealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SysPhon usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Olymp Loader usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Danabot usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SneakMain usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
transformers.pyz usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Arkanix Stealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Latrodectus usesThe MITRE Corporation Confidence 100
[Latrodectus](https://attack.mitre.org/software/S1160) is a Windows malware downloader that has been used since at least 2023 to download and execute additional payloads and modules. [Latrodectus](https://attack.mitre.org/software/S1160) has most often been distributed…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Trivy usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
AlienVault Confidence 100 21 MITREs 2 Malwares
-
AlienVault Confidence 100 13 CVEs 20 MITREs 4 Malwares 6 IOCs 5 Observables 1 APT
-
AlienVault Confidence 100 13 MITREs 4 IOCs 2 Observables
-
AlienVault Confidence 100 20 MITREs 1 Malware 8 IOCs 5 Observables
-
AlienVault Confidence 100 20 MITREs 3 Malwares 17 IOCs 14 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 19 MITREs 2 Malwares 4 IOCs 2 Observables
-
AlienVault Confidence 100 2 CVEs 20 MITREs 2 IOCs 2 Observables
-
AlienVault Confidence 100 3 CVEs 19 MITREs 9 IOCs 8 Observables
-
AlienVault Confidence 100 24 MITREs 4 Malwares 9 IOCs 9 Observables
-
AlienVault Confidence 100 19 MITREs 3 Malwares 11 IOCs 5 Observables
-
AlienVault Confidence 100 3 CVEs 21 MITREs 2 Malwares 8 IOCs 2 Observables
-
AlienVault Confidence 100 20 MITREs 3 IOCs 3 Observables
Vulnerabilities (CVE) (77)
The trx_addons WordPress plugin before 2.38.5 does not correctly validate file types in one of its AJAX action, allowing unauthenticated users to …
- Attack vector
- NETWORK
- Complexity
- LOW
- EPSS
- 0.0005 (P15.8%)
- Published
- 23/03/2026
- Modified
- 13/07/2026
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute …
- Attack vector
- Network
- Published
- 19/05/2025
- Modified
- 21/12/2025
A vulnerability in Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to view sensitive information on an affected system. This …
- Attack vector
- Network
- Complexity
- Low
- Published
- 25/02/2026
- Modified
- 15/05/2026
Veeam Backup & Replication Cloud Connect component contains a missing authentication for critical function vulnerability that allows an unauthenticated user operating within …
- Attack vector
- Network
- Published
- 22/08/2023
- Modified
- 27/05/2026
In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended …
- Published
- 09/10/2025
- Modified
- 10/10/2025
Redis is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
- Published
- 28/03/2022
- Modified
- 21/12/2025
WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 29/04/2026
- Modified
- 11/05/2026
The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the …
- Attack vector
- Network
- Complexity
- Low
- EPSS
- 0.0002 (P4.5%)
- Published
- 11/05/2026
- Modified
- 13/07/2026
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …
- Attack vector
- Network
- Published
- 25/09/2025
- Modified
- 21/12/2025
Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …
- Attack vector
- Local
- Published
- 03/11/2021
- Modified
- 27/05/2026
marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication …
- Attack vector
- Network
- Complexity
- Low
- Published
- 09/04/2026
- Modified
- 29/04/2026
- Published
- 13/07/2026
Tool (3)
-
LaZagne usesThe MITRE Corporation Confidence 100
[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows…
-
AADInternals usesThe MITRE Corporation Confidence 100
[AADInternals](https://attack.mitre.org/software/S0677) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…