T1552.004: T1552.004
Essential information
- MITRE technique ID
T1552.004- Confidence
- 100/100
- Revoked
- No
- Published
- 04/02/2020 14:06
- Modified
- 27/03/2026 01:09
- Author / Source
- The MITRE Corporation
Aliases
Private Keys
Platforms
windows macos linux Network Devices
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | credential-access |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (14)
-
PhantomRaven usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Storm-0501 usesThe MITRE Corporation Confidence 100
[Storm-0501](https://attack.mitre.org/groups/G1053) is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. [Storm-0501](https://attack.mitre.org/groups/G1053) has been active since 2021 and has previously been…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Rocke usesThe MITRE Corporation Confidence 100
[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes…
First seen 01/01/1970 · Last seen 16/11/5138 · -
UNC3886 usesThe MITRE Corporation Confidence 100
[UNC3886](https://attack.mitre.org/groups/G1048) is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan…
First seen 01/01/1970 · Last seen 16/11/5138 · -
UNC2903 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group active since at least 2022. (Citation: CrowdStrike Scattered Spider Profile) (Citation: MSTIC Octo Tempest Operations October 2023) The group initially…
First seen 01/01/1970 · Last seen 16/11/5138 · -
medusa usesRansomware.Live Confidence 100
No description available
First seen 01/01/1970 · Last seen 16/11/5138 · -
TeamTNT usesThe MITRE Corporation Confidence 100
[TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Slow Pisces usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Sandworm usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (46)
-
Troll Stealer usesThe MITRE Corporation Confidence 100
[Troll Stealer](https://attack.mitre.org/software/S1196) is an information stealer written in Go associated with [Kimsuky](https://attack.mitre.org/groups/G0094) operations. [Troll Stealer](https://attack.mitre.org/software/S1196) has typically been delivered through a dropper disguised as a legitimate security program…
First seen 01/01/1970 · Last seen 16/11/5138 · -
CanisterWorm usesFamily
-
helpers.php stealer usesFamily
-
Machete uses
-
Remcos usesFamily
-
GhostLoader usesFamily
-
transformers.pyz usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mini Shai-Hulud usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DebugChromium.exe usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PCPJack usesFamily
-
UNC2903 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RN Stealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (23)
-
AlienVault Confidence 100 19 MITREs 3 Malwares 2 IOCs 2 Observables
-
AlienVault Confidence 100 20 MITREs 6 IOCs 6 Observables
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
19 MITREs 2 Malwares 2 Observables
-
AlienVault Confidence 100 20 MITREs 5 IOCs 5 Observables
-
AlienVault Confidence 100 20 MITREs 1 Malware 10 IOCs 10 Observables
-
Latest PyPi Compromise relatedAlienVault Confidence 100 20 MITREs 3 Malwares 9 IOCs 9 Observables 1 APT
-
17 MITREs 1 Observable 1 APT
-
AlienVault Confidence 100 17 MITREs 1 Malware 2 IOCs 2 Observables
-
Copycat hits another npm package relatedAlienVault Confidence 100 19 MITREs 1 Malware 3 IOCs 3 Observables
-
AlienVault Confidence 100 5 CVEs 24 MITREs 2 Malwares 4 IOCs 4 Observables
-
AlienVault Confidence 100 16 MITREs 2 Malwares 7 IOCs 7 Observables
Vulnerabilities (CVE) (15)
targets
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and …
- Attack vector
- NETWORK
- Published
- 21/03/2025
- Modified
- 21/12/2025
CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell …
- Attack vector
- Network
- Published
- 04/11/2025
- Modified
- 08/05/2026
In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 …
- Attack vector
- LOCAL
- Complexity
- LOW
- EPSS
- 0.0001 (P0.6%)
- Published
- 22/04/2026
- Modified
- 23/05/2026
Fortinet FortiFone, FortiVoice, FortiNDR and FortiMail contain a stack-based overflow vulnerability that may allow a remote unauthenticated attacker to execute arbitrary code …
- Attack vector
- Network
- Published
- 14/05/2025
- Modified
- 14/01/2026
- Published
- 27/04/2026
- Modified
- 27/04/2026
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, which enables threat …
- Attack vector
- Network
- Published
- 08/04/2025
- Modified
- 21/12/2025
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up …
- Attack vector
- Network
- Published
- 11/02/2026
- Modified
- 08/05/2026
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …
- Attack vector
- Network
- Published
- 05/12/2025
- Modified
- 29/05/2026
The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute …
- Attack vector
- NETWORK
- Published
- 17/11/2025
- Modified
- 08/05/2026
Apache HTTP Server, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Adminer contains a server-side request forgery vulnerability that, when exploited, allows a remote attacker to obtain potentially sensitive information.
- Published
- 29/09/2025
- Modified
- 20/12/2025
Course Of Action (4)
-
Encrypt Sensitive Information mitigates
-
Restrict File and Directory Permissions mitigates
-
Audit mitigates
-
Password Policies mitigates
Tool (3)
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…
-
AADInternals usesThe MITRE Corporation Confidence 100
[AADInternals](https://attack.mitre.org/software/S0677) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…
Campaign (2)
-
Operation Wocao uses
-
SolarWinds Compromise uses