T1552.001: T1552.001

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 04/02/2020 13:52 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1552.001
Confidence: 100/100
Revoked: No
Published: 04/02/2020 13:52
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Credentials In Files

Platforms

windows macos linux Containers IaaS

Description

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).(Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.(Citation: SRD GPP) In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)

Kill chain phases

Kill chain	Phase
mitre-attack	credential-access

Marking (TLP)

External references

Unit 42 Hildegard Malware
Unit 42 Unsecured Docker Daemons
mitre-attack (T1552.001)
CG 2014
Specter Ops - Cloud Credential Storage
SRD GPP

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (56)

Stone Wolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN13 uses Elephant Beetle

The MITRE Corporation Confidence 100

[FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA551 uses GOLD CABINShathak

The MITRE Corporation Confidence 100

[TA551](https://attack.mitre.org/groups/G0127) is a financially-motivated threat group that has been active since at least 2018. (Citation: Secureworks GOLD CABIN) The group has primarily targeted English, German, Italian, and Japanese…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Linen Typhoon, Violet Typhoon, Storm-2603 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC6148 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Saint Bear uses UNC2589Bleeding Bear

The MITRE Corporation Confidence 100

[Saint Bear](https://attack.mitre.org/groups/G1031) is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Water Saci uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC1151 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Emennet Pasargad uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAT-8616 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Angry Likho uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
hackerbot-claw uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 56

UnDefend uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BOINC uses

Family
WarzoneRAT uses
NetSupport RAT uses

Family
MICROBACKDOOR uses
Shai-Hulud 2.0 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lumma Stealer uses

Family
UltraVNC uses

Family
VBCloud uses

Family
FRPC uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MetaStealer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SANDWORM_MODE uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

1–12 of 74

Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst … related

AlienVault Confidence 100 3 CVEs 19 MITREs 9 IOCs 8 Observables
Customer CRM Data Accessed in Supply Chain Incident related

AlienVault Confidence 100 20 MITREs 3 IOCs 3 Observables
Inside the FortiBleed Open Directory: A Technical Analysis … related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables
Operation Poisson – Analyzing a Cybercriminal’s Entire Operation related

AlienVault Confidence 100 20 MITREs 2 Malwares 13 IOCs 6 Observables 1 APT
Threat Actors Abuse claude.ai Shared Chat for ClickFix … related

AlienVault Confidence 100 19 MITREs 1 Malware 21 IOCs 21 Observables
Targets Education Sector with Oracle PeopleSoft Exploit related

AlienVault Confidence 100 1 CVE 20 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics … related

AlienVault Confidence 100 19 MITREs 3 Malwares 2 IOCs 2 Observables
Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets … related

20 MITREs 4 Malwares 18 Observables 1 APT
Preinstall to persistence: Inside the npm Miasma credential-stealing … related

AlienVault Confidence 100 20 MITREs 6 IOCs 6 Observables
Impersonation, Click Hijacking, and TDS: Inside a Malware … related

AlienVault Confidence 100 20 MITREs 3 Malwares 64 IOCs 64 Observables
Espionage Campaign Targeted Stock Exchange Executive for Five … related

20 MITREs 4 Malwares 20 Observables
Malicious npm packages abuse dependency confusion to profile … related

20 MITREs 7 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (61)

CVE-2026-20122 KEV targets

5.4 Medium

A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the …

Attack vector: NETWORK
Complexity: LOW
Published: 25/02/2026
Modified: 15/05/2026

CWE-648 Received

CVE-2025-31151 targets

Published: 27/04/2026
Modified: 27/04/2026

CVE-2025-49844 targets

9.9 Critical

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a …

Published: 03/10/2025
Modified: 03/10/2025

Received

CVE-2024-40711 KEV targets

9.8 Critical

Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution.

Attack vector: Network
Published: 17/10/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2025-29927 targets

9.1 Critical

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and …

Attack vector: NETWORK
Published: 21/03/2025
Modified: 21/12/2025

Received

CVE-2025-20362 KEV targets

6.5 Medium

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …

Attack vector: Network
Published: 25/09/2025
Modified: 21/12/2025

Analyzed

CVE-2023-39143 targets

9.8 Critical

PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete arbitrary files. This …

Attack vector: NETWORK
Published: 04/08/2023
Modified: 08/05/2026

CVE-2018-17480 KEV targets

Google Chromium V8 Engine contains out-of-bounds write vulnerability that allows a remote attacker to execute code inside a sandbox via a crafted …

Published: 08/06/2022
Modified: 21/12/2025

CVE-2025-53770 KEV targets

9.8 Critical

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware …

Attack vector: Network
Published: 20/07/2025
Modified: 21/12/2025

Analyzed

CVE-2019-7192 targets

CVE-2026-20128 KEV targets

7.5 High

A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker to gain …

Attack vector: Local
Complexity: High
Published: 25/02/2026
Modified: 15/05/2026

CWE-257 Received

CVE-2023-22518 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an …

Attack vector: Network
Published: 07/11/2023
Modified: 21/12/2025

← Previous

Page / 6

37–48 of 61

T1552 subtechnique-of

Unsecured Credentials MITRE

Tool (3)

LaZagne uses

The MITRE Corporation Confidence 100

[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows…
AADInternals uses

The MITRE Corporation Confidence 100

[AADInternals](https://attack.mitre.org/software/S0677) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)
Empire uses

The MITRE Corporation Confidence 100

[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…

Contact About Legal notice Privacy policy Terms of use