Unsecured Credentials T1552
Tactic: Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Shell History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).
Events covered
24 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 219 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (185 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (2114 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (299 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 52 rules
- Added Owner To Application
- Application AppID Uri Configuration Changes
- Automated Collection Command Prompt
- Azure Key Vault Modified or Deleted
- Azure Keyvault Key Modified or Deleted
- Azure Keyvault Secrets Modified or Deleted
- Azure Kubernetes Admission Controller
- Certificate Exported Via PowerShell
- Certificate Exported Via PowerShell - ScriptBlock
- Cisco Collect Data
- Cisco Crypto Commands
- Cisco Show Commands Input
- Copy Passwd Or Shadow From TMP Path
- Credentials In Files
- Credentials In Files - Linux
- DPAPI Backup Keys And Certificate Export Activity IOC
- Enumeration for 3rd Party Creds From CLI
- Enumeration for Credentials in Registry
- EventLog Query Requests By Builtin Utilities
- Extracting Information with PowerShell
- Findstr GPP Passwords
- Google Cloud Kubernetes Admission Controller
- HackTool - Typical HiveNightmare SAM File Export
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- Hidden Flag Set On File/Directory Via Chflags - MacOS
- Insensitive Subfolder Search Via Findstr.EXE
- Kubernetes Admission Controller Modification
- Kubernetes Secrets Enumeration
- Linux Recon Indicators
- LSASS Process Reconnaissance Via Findstr.EXE
- Permission Misconfiguration Reconnaissance Via Findstr.EXE
- PFX File Creation
- Potential Okta Password in AlternateID Field
- Potential Password Reconnaissance Via Findstr.EXE
- Potential PowerShell Console History Access Attempt via History File
- Potential Russian APT Credential Theft Activity
- Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
- Potentially Suspicious JWT Token Search Via CLI
- PowerShell Get-Process LSASS
- Private Keys Reconnaissance Via CommandLine Tools
- PUA - TruffleHog Execution
- PUA - TruffleHog Execution - Linux
- Registry Export of Third-Party Credentials
- Remote File Download Via Findstr.EXE
- SAM Registry Hive Handle Request
- Script Interpreter Spawning Credential Scanner - Linux
- Script Interpreter Spawning Credential Scanner - Windows
- Shai-Hulud Malicious GitHub Workflow Creation
- Suspicious History File Operations
- Suspicious History File Operations - Linux
- Suspicious SYSVOL Domain Group Policy Access
Elastic 72 rules
- Access to a Sensitive LDAP Attribute
- Attempted Private Key Access
- AWS Credentials Searched For Inside A Container
- AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization
- AWS EC2 Instance Console Login via Assumed Role
- AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role
- AWS EC2 User Data Retrieval for EC2 Instance
- AWS IAM CompromisedKeyQuarantine Policy Attached to User
- AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts
- AWS IAM Long-Term Access Key First Seen from Source IP
- AWS S3 Credential File Retrieved from Bucket
- Azure Arc Cluster Credential Access by Identity from Unusual Source
- Azure Event Hub Authorization Rule Created or Updated
- Azure Service Principal Sign-In Followed by Arc Cluster Credential Access
- Azure Storage Account Key Regenerated
- Cloud Credential Search Detected via Defend for Containers
- Cloud Instance Metadata Credential Path HTTP Request
- Command Shell Activity Started via RunDLL32
- Creation or Modification of Domain Backup DPAPI private key
- Credential Access via TruffleHog Execution
- First Time Python Accessed Sensitive Credential Files
- GenAI Process Accessing Sensitive Files
- GitHub Authentication Token Access via Node.js
- Google Workspace Drive Encryption Key(s) Accessed from Anonymous User
- Kubeconfig File Creation or Modification
- Kubeconfig File Discovery
- Kubectl Secrets Enumeration Across All Namespaces
- Kubelet Certificate File Access Detected via Defend for Containers
- Kubernetes and Cloud Credential Path Access via Process Arguments
- Kubernetes Direct API Request via Curl or Wget
- Kubernetes Pod Exec Cloud Instance Metadata Access
- Kubernetes Pod Exec Sensitive File or Credential Path Access
- Kubernetes Rapid Secret GET Activity Against Multiple Objects
- Kubernetes Secret Access via Unusual User Agent
- Kubernetes Secret get or list from Node or Pod Service Account
- Kubernetes Secret get or list with Suspicious User Agent
- Kubernetes Secret or ConfigMap Access via Azure Arc Proxy
- Kubernetes Secrets List Across Cluster or Sensitive Namespaces
- Kubernetes Service Account Secret Access
- Kubernetes Service Account Token Created via TokenRequest API
- Microsoft IIS Connection Strings Decryption
- Microsoft IIS Service Account Password Dumped
- Multi-Cloud CLI Token and Credential Access Commands
- Potential Credential Discovery via Recursive Grep
- Potential Impersonation Attempt via Kubectl
- Potential Kerberos Attack via Bifrost
- Potential PowerShell HackTool Script by Function Names
- Potential Privilege Escalation via Linux DAC permissions
- Potential Secret Scanning via Gitleaks
- PowerShell Script with Password Policy Discovery Capabilities
- Private Key Searching Activity
- Security File Access via Common Utilities
- Sensitive File Compression Detected via Defend for Containers
- Sensitive Files Compression
- Sensitive Files Compression Inside A Container
- Sensitive Identity File Open by Suspicious Process via Auditd
- Sensitive Keys Or Passwords Search Detected via Defend for Containers
- Sensitive Keys Or Passwords Searched For Inside A Container
- Service Account Token or Certificate Access Followed by Kubernetes API Request
- Service Account Token or Certificate Read Detected via Defend for Containers
- Suspicious CertUtil Commands
- Suspicious Instance Metadata Service (IMDS) API Command Line Execution
- Suspicious Instance Metadata Service (IMDS) API Request
- Unusual Linux Process Calling the Metadata Service
- Unusual Linux User Calling the Metadata Service
- Unusual Web Config File Access
- Unusual Windows Process Calling the Metadata Service
- Unusual Windows User Calling the Metadata Service
- Web Server Exploitation Detected via Defend for Containers
- Web Server Local File Inclusion Activity
- Web Server Potential Command Injection Request
- Wireless Credential Dumping using Netsh Command
Splunk 44 rules
- Add DefaultUser And Password In Registry
- ADExplorer Execution (Sysmon)
- ADExplorer Execution (Windows Event Log)
- ADExplorer Snapshot Creation (Sysmon)
- ADExplorer Snapshot Creation (Windows Event Log)
- Attempted Veeam Database Credential Dump (PowerShell)
- Attempted Veeam Database Credential Dump (Sysmon)
- Attempted Veeam Database Credential Dump (Windows Event Log)
- Auto Admin Logon Registry Entry
- Cisco Isovalent - Access To Cloud Metadata Service
- Cisco SNMP Community String Configuration Changes
- Credentials in Registry (Windows Event Log)
- Detect AWS Console Login by New User
- Kubernetes Abuse of Secret by Unusual Location
- Kubernetes Abuse of Secret by Unusual User Agent
- Kubernetes Abuse of Secret by Unusual User Group
- Kubernetes Abuse of Secret by Unusual User Name
- Linux Auditd Find Ssh Private Keys
- Linux Auditd Private Keys and Certificate Enumeration
- Locate Credentials (PowerShell)
- Locate Credentials (Sysmon)
- Locate Credentials (Windows Event Log)
- MCP Github Suspicious Operation
- MCP Sensitive System File Search
- Mimikatz (Sysmon)
- Mimikatz (Windows Event Log)
- Mimikatz Execution (Windows Event Log)
- O365 Email Suspicious Search Behavior
- O365 SharePoint Suspicious Search Behavior
- Potential password in username
- Shai-Hulud 2 Exfiltration Artifact Files
- Windows Credentials in Registry Reg Query
- Windows Export Certificate
- Windows Findstr GPP Discovery
- Windows LAPS Password Gathering Via PowerShell Script
- Windows Post Exploitation Risk Behavior
- Windows PowerShell Export Certificate
- Windows PowerShell Export PfxCertificate
- Windows PowerSploit GPP Discovery
- Windows Private Keys Discovery
- Windows SharePoint Spinstall0 GET Request
- Windows Unsecured Outlook Credentials Access In Registry
- Windows Unusual FileZilla XML Config Access
- Windows Unusual Intelliform Storage Registry Access
Kusto 15 rules
- AD FS Abnormal EKU object identifier attribute
- Azure DevOps Variable Secret Not Secured
- BTP - Cloud Integration JDBC data source changes
- BTP - Cloud Integration tampering with security material
- CiscoISE - Certificate has expired
- Cross-Cloud Suspicious Compute resource creation in GCP
- Cross-Cloud Suspicious user activity observed in GCP Envourment
- Cynerio - IoT - Default password
- Cynerio - IoT - Weak password
- F&O - Unusual sign-in activity using single factor authentication
- GCP Security Command Center - Detect Open/Unrestricted API Keys
- GCP Security Command Center - Detect projects with API Keys present
- Pathlock TDnR - LDAP Synchronization Application Log Events
- Pathlock TDnR - STRUST PSE Certificate Changes
- Powershell Empire Cmdlets Executed in Command Line
YARA-L 6 rules
- ADFS DKM Key Access
- AWS IAM Compromised Key Quarantine Policy Attached
- GCP Service Account Key Used From Multiple Countries
- GitHub Secret Scanning Alert
- Google Workspace Encryption Key File Accessed By An Anonymous User
- OneLogin Application Password Revealed
Panther 30 rules
- AppOmni Alert Passthrough
- AWS Access Key Rotation
- AWS Compromised IAM Key Quarantine
- AWS IAM Access Key Compromise Detection
- AWS KMS CMK Key Rotation
- AWS KMS Key Restricts Usage
- AWS RDS Log File Downloaded
- AWS Secrets Manager Batch Retrieve Secrets
- AWS Secrets Manager Batch Retrieve Secrets Catch-All
- AWS Secrets Manager Retrieve Secrets Multi-Region
- Azure Storage Account Keys Listed
- Azure Storage SAS Token Access from External IP
- BETA - Sensitive 1Password Item Accessed
- Configuration Required - Sensitive 1Password Item Accessed
- Databricks TruffleHog Scan Detected
- EC2 Secrets Manager Retrieve Secrets
- GitHub Secret Scanning Alert Created
- GSuite User Password Leaked
- Kubernetes Admission Controller Webhook Created
- Kubernetes All Secrets Dumped Across Namespaces
- Kubernetes Client Certificate Credential Created
- Kubernetes Data Copy via kubectl cp
- Kubernetes Ingress Created Without TLS
- Kubernetes Long-Lived Service Account Token Created
- Kubernetes Secret Access Denied
- Kubernetes Secret Enumeration by a User
- Kubernetes Service Account Token Theft from Pod
- Okta Password Accessed
- OneLogin Password Access
- Secret Exposed and not Quarantined