T1552.001: T1552.001

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 04/02/2020 13:52 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1552.001
Confidence: 100/100
Revoked: No
Published: 04/02/2020 13:52
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Credentials In Files

Platforms

windows macos linux Containers IaaS

Description

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).(Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.(Citation: SRD GPP) In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)

Kill chain phases

Kill chain	Phase
mitre-attack	credential-access

Marking (TLP)

External references

Unit 42 Hildegard Malware
Unit 42 Unsecured Docker Daemons
mitre-attack (T1552.001)
CG 2014
Specter Ops - Cloud Credential Storage
SRD GPP

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (56)

Stone Wolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN13 uses Elephant Beetle

The MITRE Corporation Confidence 100

[FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA551 uses GOLD CABINShathak

The MITRE Corporation Confidence 100

[TA551](https://attack.mitre.org/groups/G0127) is a financially-motivated threat group that has been active since at least 2018. (Citation: Secureworks GOLD CABIN) The group has primarily targeted English, German, Italian, and Japanese…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Linen Typhoon, Violet Typhoon, Storm-2603 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC6148 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Saint Bear uses UNC2589Bleeding Bear

The MITRE Corporation Confidence 100

[Saint Bear](https://attack.mitre.org/groups/G1031) is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Water Saci uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC1151 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Emennet Pasargad uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAT-8616 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Angry Likho uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
hackerbot-claw uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 56

UnDefend uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BOINC uses

Family
WarzoneRAT uses
NetSupport RAT uses

Family
MICROBACKDOOR uses
Shai-Hulud 2.0 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lumma Stealer uses

Family
UltraVNC uses

Family
VBCloud uses

Family
FRPC uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MetaStealer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SANDWORM_MODE uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

1–12 of 74

Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst … related

AlienVault Confidence 100 3 CVEs 19 MITREs 9 IOCs 8 Observables
Customer CRM Data Accessed in Supply Chain Incident related

AlienVault Confidence 100 20 MITREs 3 IOCs 3 Observables
Inside the FortiBleed Open Directory: A Technical Analysis … related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables
Operation Poisson – Analyzing a Cybercriminal’s Entire Operation related

AlienVault Confidence 100 20 MITREs 2 Malwares 13 IOCs 6 Observables 1 APT
Threat Actors Abuse claude.ai Shared Chat for ClickFix … related

AlienVault Confidence 100 19 MITREs 1 Malware 21 IOCs 21 Observables
Targets Education Sector with Oracle PeopleSoft Exploit related

AlienVault Confidence 100 1 CVE 20 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics … related

AlienVault Confidence 100 19 MITREs 3 Malwares 2 IOCs 2 Observables
Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets … related

20 MITREs 4 Malwares 18 Observables 1 APT
Preinstall to persistence: Inside the npm Miasma credential-stealing … related

AlienVault Confidence 100 20 MITREs 6 IOCs 6 Observables
Impersonation, Click Hijacking, and TDS: Inside a Malware … related

AlienVault Confidence 100 20 MITREs 3 Malwares 64 IOCs 64 Observables
Espionage Campaign Targeted Stock Exchange Executive for Five … related

20 MITREs 4 Malwares 20 Observables
Malicious npm packages abuse dependency confusion to profile … related

20 MITREs 7 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (61)

CVE-2023-22515 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …

Attack vector: Network
Published: 05/10/2023
Modified: 21/12/2025

CVE-2020-6418 KEV targets

Google Chromium V8 Engine contains a type confusion vulnerability allows a remote attacker to potentially exploit heap corruption via a crafted HTML …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2025-6543 targets

9.2 Critical

Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway …

Published: 25/06/2025
Modified: 26/06/2025

Awaiting Analysis

CVE-2025-4427 KEV targets

5.3 Medium

Ivanti Endpoint Manager Mobile (EPMM) contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources …

Attack vector: Network
Published: 19/05/2025
Modified: 21/12/2025

CVE-2016-1646 KEV targets

8.8 High

Google Chromium V8 Engine contains an out-of-bounds read vulnerability that allows a remote attacker to cause a denial of service or possibly …

Attack vector: NETWORK
Complexity: LOW
Published: 29/03/2016
Modified: 22/04/2026

CWE-125

CVE-2026-0257 KEV targets

4.7 Medium

Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions …

Attack vector: NETWORK
Complexity: LOW
Published: 13/05/2026
Modified: 10/06/2026

CWE-565 Awaiting Analysis

CVE-2018-17463 KEV targets

Google Chromium V8 Engine contains an unspecified vulnerability that allows a remote attacker to execute code inside a sandbox via a crafted …

Published: 08/06/2022
Modified: 21/12/2025

CVE-2025-48703 KEV targets

9.0 Critical

CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell …

Attack vector: Network
Published: 04/11/2025
Modified: 08/05/2026

Received

CVE-2017-0199 KEV targets

7.8 High

Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …

Attack vector: LOCAL
Complexity: LOW
Published: 12/04/2017
Modified: 22/04/2026

CVE-2017-5030 KEV targets

8.8 High

Google Chromium V8 Engine contains a memory corruption vulnerability that allows a remote attacker to execute code via a crafted HTML page. …

Attack vector: NETWORK
Complexity: LOW
Published: 25/04/2017
Modified: 22/04/2026

CWE-125

CVE-2025-53771 targets

6.5 Medium

Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing …

Attack vector: NETWORK
Published: 21/07/2025
Modified: 21/12/2025

Received

CVE-2024-3400 KEV targets

10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector: Network
Published: 12/04/2024
Modified: 21/12/2025

← Previous

Page / 6

25–36 of 61

T1552 subtechnique-of

Unsecured Credentials MITRE

Tool (3)

LaZagne uses

The MITRE Corporation Confidence 100

[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows…
AADInternals uses

The MITRE Corporation Confidence 100

[AADInternals](https://attack.mitre.org/software/S0677) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)
Empire uses

The MITRE Corporation Confidence 100

[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…

Contact About Legal notice Privacy policy Terms of use