1. Home
  2. Techniques
  3. Enterprise
  4. Unsecured Credentials
  5. Credentials In Files

Unsecured Credentials: Credentials In Files

ID Name
T1552.001 Credentials In Files
T1552.002 Credentials in Registry
T1552.003 Shell History
T1552.004 Private Keys
T1552.005 Cloud Instance Metadata API
T1552.006 Group Policy Preferences
T1552.007 Container API
T1552.008 Chat Messages

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

It is possible to extract passwords from backups or saved virtual machines through OS Credential Dumping.[1] Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.[2]

In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.[3] They may also be found as parameters to deployment commands in container logs.[4] In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.[5]

ID: T1552.001
Sub-technique of:  T1552
Tactic: Credential Access
Platforms: Containers, IaaS, Linux, Windows, macOS
Contributors: Jay Chen, Palo Alto Networks; Microsoft Threat Intelligence Center (MSTIC); Rory McCune, Aqua Security; Vishwas Manral, McAfee; Yossi Weizman, Azure Defender Research Team
Version: 1.3
Created: 04 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0677 AADInternals

AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine.[6]
S0331 Agent Tesla

Agent Tesla has the ability to extract credentials from configuration or support files.[7]

G0022 APT3

APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.[8]
G0064 APT33

APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[9][10]
S0344 Azorult

Azorult can steal credentials in files belonging to common software such as Skype, Telegram, and Steam.[11]
S0089 BlackEnergy

BlackEnergy has used a plug-in to gather credentials stored in files on the host by various software programs, including The Bat! email client, Outlook, and Windows Credential Store.[12][13]
G1003 Ember Bear

Ember Bear has dumped configuration settings in accessed IP cameras including plaintext credentials.[14]
S0367 Emotet

Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user. [15][16]
S0363 Empire

Empire can use various modules to search for files containing passwords.[17]
G1016 FIN13

FIN13 has obtained administrative credentials by browsing through local files on a compromised machine.[18]
G0117 Fox Kitten

Fox Kitten has accessed files to gain valid credentials.[19]
S0601 Hildegard

Hildegard has searched for SSH keys, Docker credentials, and Kubernetes service tokens.[3]
G0119 Indrik Spider

Indrik Spider has searched files to obtain and exfiltrate credentials.[20]
S0283 jRAT

jRAT can capture passwords from common chat applications such as MSN Messenger, AOL, Instant Messenger, and and Google Talk.[21]
G0094 Kimsuky

Kimsuky has used tools that are capable of obtaining credentials from saved mail.[22]
S0349 LaZagne

LaZagne can obtain credentials from chats, databases, mail, and WiFi.[23]
G0077 Leafminer

Leafminer used several tools for retrieving login and password information, including LaZagne.[24]
C0049 Leviathan Australian Intrusions

Leviathan gathered credentials stored in files related to Building Management System (BMS) operations during Leviathan Australian Intrusions.[25]
G0069 MuddyWater

MuddyWater has run a tool that steals passwords saved in victim email.[26]
G0049 OilRig

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[27][28][29][30]
S0067 pngdowner

If an initial connectivity check fails, pngdowner attempts to extract proxy details and credentials from Windows Protected Storage and from the IE Credentials Store. This allows the adversary to use the proxy credentials for subsequent requests if they enable outbound HTTP access.[31]
S0378 PoshC2

PoshC2 contains modules for searching for passwords in local and remote files.[32]
S0192 Pupy

Pupy can use Lazagne for harvesting credentials.[33]
S0583 Pysa

Pysa has extracted credentials from the password database before encrypting the files.[34]

S0262 QuasarRAT

QuasarRAT can obtain passwords from FTP clients.[35][36]
G1039 RedCurl

RedCurl used LaZagne to obtain passwords in files.[37][38]
G1015 Scattered Spider

Scattered Spider Spider searches for credential storage documentation on a compromised host.[39][40][41]
C0058 SharePoint ToolShell Exploitation

During SharePoint ToolShell Exploitation, threat actors accessed web.config and machine.config to extract MachineKey values, enabling them to forge legitimate VIEWSTATE tokens for future deserialization payloads.[42][43][44][45][46]
S0226 Smoke Loader

Smoke Loader searches for files named logins.json to parse for credentials.[47]
S1183 StrelaStealer

StrelaStealer searches for and if found collects the contents of files such as logins.json and key4.db in the $APPDATA%\Thunderbird\Profiles\ directory, associated with the Thunderbird email application.[48][49]
G0092 TA505

TA505 has used malware to gather credentials from FTP clients and Outlook.[50]
G0139 TeamTNT

TeamTNT has searched for unsecured AWS credentials and Docker API credentials.[51][52][53]
S0266 TrickBot

TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP.[54][55] Additionally, it searches for the ".vnc.lnk" affix to steal VNC credentials.[56]
S0117 XTunnel

XTunnel is capable of accessing locally stored passwords on victims.[57]

Mitigations

ID Mitigation Description
M1047 Audit

Preemptively search for files containing passwords and take actions to reduce the exposure risk when found.
M1027 Password Policies

Establish an organizational policy that prohibits password storage in files.
M1022 Restrict File and Directory Permissions

Restrict file shares to specific directories with access only to necessary users.
M1017 User Training

Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0307 Detect Access to Unsecured Credential Files Across Platforms AN0856

Correlated file access to insecure credential files (e.g., .env, .xml, *.ps1) followed by suspicious process execution or authentication using retrieved credentials. Detected through Sysmon logs and Windows Security Event logs.
AN0857

File reads or process executions involving insecurely stored credential files (e.g., config files with password fields) by non-root or anomalous users followed by ssh authentication attempts.
AN0858

Terminal-based grep or open of plist/config files containing credentials, correlated with Keychain or system login attempts.
AN0859

Container processes accessing mounted secrets or configuration paths (e.g., /run/secrets, /mnt/config) followed by network access or credential use.
AN0860

Access to local credential/config files (e.g., ~/.aws/credentials) followed by metadata API calls or cloud role assumptions.

References

  1. CG. (2014, May 20). Mimikatz Against Virtual Machine Memory Part 1. Retrieved November 12, 2014.
  2. Security Research and Defense. (2014, May 13). MS14-025: An Update for Group Policy Preferences. Retrieved January 28, 2015.
  3. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  4. Chen, J.. (2020, January 29). Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021.
  5. Maddalena, C.. (2018, September 12). Head in the Clouds. Retrieved October 4, 2019.
  6. Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
  7. Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020.
  8. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  9. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  10. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  11. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  12. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  13. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  14. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  15. US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.
  16. CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019.
  17. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  18. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  19. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  20. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
  21. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  22. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  23. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
  24. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  25. CISA et al. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved February 3, 2025.
  26. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  27. Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.
  28. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  29. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved November 17, 2024.
  1. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
  2. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  3. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  4. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  5. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
  6. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  7. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  8. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  9. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  10. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
  11. Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025.
  12. Counter Adversary Operations. (2025, July 2). CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries. Retrieved October 13, 2025.
  13. Microsoft Threat Intelligence. (2025, July 22). Disrupting active exploitation of on-premises SharePoint vulnerabilities. Retrieved October 15, 2025.
  14. Eye Security. (2025, July 19). SharePoint Under Siege: ToolShell Exploit (CVE-2025-49706 & CVE-2025-49704). Retrieved October 15, 2025.
  15. Trend Micro Research. (2022, July 22). Proactive Security Insights for SharePoint Attacks (CVE-2025-53770 and CVE-2025-53771). Retrieved October 15, 2025.
  16. Kenin, S. et al. (2025, July 21). SharePoint ToolShell | Zero-Day Exploited in-the-Wild Targets Enterprise Servers. Retrieved October 15, 2025.
  17. Unit 42. (2025, July 31). Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated). Retrieved October 15, 2025.
  18. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
  19. DCSO CyTec Blog. (2022, November 8). #ShortAndMalicious: StrelaStealer aims for mail credentials. Retrieved December 31, 2024.
  20. Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024.
  21. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  22. Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021.
  23. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
  24. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  25. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  26. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  27. Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.
  28. Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016.