Unsecured Credentials (T1552) is one of the most abused techniques in the Credential Access tactic of the MITRE ATT&CK framework. Unsecured credentials are authentication secrets that are stored, transmitted, or exposed without adequate protection, making them accessible to unauthorized actors. Within the Credential Access phase of an attack lifecycle, adversaries actively seek these credentials to escalate privileges, move laterally, and maintain persistence.
Unlike advanced credential dumping techniques that rely on memory scraping or kernel exploits, unsecured credentials often require little sophistication—they are frequently misconfigurations, poor operational practices, or legacy design flaws.
T1552.001 – Credentials In Files
Technical Description
Adversaries search for plaintext or weakly protected credentials stored in files across endpoints, servers, containers, and backups.
Common File Targets
.env,.ini,.yaml,.xml,.json- Application config files
- Backup archives (
.zip,.tar.gz) - Deployment scripts and installers
- Log files with debug output
Why This Works
- Developers prioritize functionality over secrecy
- Credentials often copied across environments
- Files inherit overly permissive permissions
IOCs
- Unusual file read activity on config directories
- Access to sensitive files by non-application processes
- Compression or exfiltration shortly after file access
IR Actions
- Identify exposed files
- Rotate all discovered credentials
- Implement secrets vaults
- Restrict filesystem permissions
T1552.002 – Credentials in Registry
Technical Description
On Windows systems, credentials may be stored in the registry, either intentionally or due to legacy behavior.
Common Registry Locations
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon- Application-specific registry keys
- Cached service credentials
Abuse Pattern
Attackers query registry keys locally or remotely and extract:
- Auto-logon passwords
- Service account credentials
- Database connection strings
IOCs
- Registry query tools accessing sensitive hives
- Non-admin registry access attempts
- PowerShell querying Winlogon keys
IR Actions
- Remove plaintext registry credentials
- Disable auto-logon
- Audit registry ACLs
- Enforce credential encryption
T1552.003 – Shell History
Technical Description
Shell history files store previously executed commands, which often include credentials passed as command-line arguments.
Common Targets
.bash_history.zsh_history- PowerShell PSReadLine history
- Cloud CLI command history
Typical Leakage
- Database passwords
- API tokens
- Cloud access keys
- SSH commands with inline passwords
IOCs
- Access to shell history files by unexpected processes
- Lateral movement immediately after history access
IR Actions
- Clear shell histories
- Enforce non-interactive secret usage
- Disable history logging for sensitive commands
T1552.004 – Private Keys
Technical Description
Private cryptographic keys enable authentication without passwords and are often stored insecurely.
Key Types
- SSH private keys
- TLS/SSL private keys
- Code-signing certificates
- PGP keys
Impact
- Passwordless access
- Long-lived persistence
- Trust chain compromise
IOCs
- Unauthorized access to
.sshdirectories - Abnormal certificate usage
- Unexpected SSH authentication success
IR Actions
- Revoke compromised keys
- Rotate certificates
- Enforce passphrases and HSMs
T1552.005 – Cloud Instance Metadata API
Technical Description
Cloud providers expose metadata APIs to instances, often including temporary credentials.
Attack Flow
- Attacker gains code execution
- Queries metadata endpoint
- Extracts access tokens
- Uses them outside the instance
Why Dangerous
- No MFA
- Trusted by cloud control plane
- Often overly permissive
IOCs
- Unexpected metadata API calls
- API usage from unfamiliar IPs
- Access outside expected workloads
IR Actions
- Enforce metadata v2 / hop limits
- Restrict IAM permissions
- Rotate instance roles
T1552.006 – Group Policy Preferences (GPP)
Technical Description
Legacy Group Policy Preferences stored encrypted passwords using a publicly known AES key.
Typical Targets
Groups.xmlServices.xmlScheduledtasks.xml
Impact
- Domain credential compromise
- Privilege escalation
- Lateral movement
IOCs
- Access to SYSVOL XML files
- Decryption tool execution
IR Actions
- Remove GPP credentials
- Rotate affected accounts
- Audit SYSVOL access
T1552.007 – Container API
Technical Description
Container runtime APIs expose cluster-level credentials and control if improperly secured.
Abuse Examples
- Accessing
/var/run/docker.sock - Querying Kubernetes API with mounted tokens
- Escaping containers via privileged APIs
IOCs
- API calls from unexpected containers
- Token reuse across namespaces
- Privileged container launches
IR Actions
- Restrict socket access
- Enforce RBAC
- Rotate service account tokens
T1552.008 – Chat Messages
Technical Description
Humans often share credentials via chat platforms, creating searchable credential repositories.
Sources
- Slack
- Microsoft Teams
- Discord
- Internal messaging tools
Why This Persists
- Convenience
- Lack of awareness
- False sense of privacy
IOCs
- Credential patterns in chat logs
- Token usage without associated logins
- Sudden access after chat exposure
IR Actions
- Revoke exposed credentials
- Educate users
- Deploy DLP and scanning bots
Comprehensive Summary Table
| Sub-Technique | Credential Source | Primary Risk | Typical Impact | Key Mitigation |
|---|---|---|---|---|
| T1552.001 | Files | Plaintext exposure | Lateral movement | Secrets vaults |
| T1552.002 | Registry | Legacy storage | Privilege escalation | Registry hardening |
| T1552.003 | Shell history | CLI leakage | Account compromise | Secure CLI usage |
| T1552.004 | Private keys | Passwordless auth | Persistent access | Key rotation |
| T1552.005 | Metadata API | Cloud tokens | Cloud takeover | IAM hardening |
| T1552.006 | GPP | Domain creds | Domain compromise | Remove GPP secrets |
| T1552.007 | Container API | Cluster control | Infrastructure takeover | RBAC enforcement |
| T1552.008 | Chat messages | Human error | Silent credential theft | DLP + awareness |
Key Takeaway
T1552 is not a tooling problem—it is a process and discipline problem.
Any system that stores secrets insecurely becomes a credential distribution mechanism for attackers.
