Unsecured Credentials: Credentials In Files, Sub-technique T1552.001 - Enterprise (original) (raw)

AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine.[6]

Agent Tesla has the ability to extract credentials from configuration or support files.[7]

During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to extract authentication certificates stored in system configuration files across compromised environments.[8]

G0022

APT3

APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.[9]

G0064

APT33

APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[10][11]

S0344

Azorult

Azorult can steal credentials in files belonging to common software such as Skype, Telegram, and Steam.[12]

S0089

BlackEnergy

BlackEnergy has used a plug-in to gather credentials stored in files on the host by various software programs, including The Bat! email client, Outlook, and Windows Credential Store.[13][14]

G1003

Ember Bear

Ember Bear has dumped configuration settings in accessed IP cameras including plaintext credentials.[15]

S0367

Emotet

Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user. [16][17]

S0363

Empire

Empire can use various modules to search for files containing passwords.[18]

G1016

FIN13

FIN13 has obtained administrative credentials by browsing through local files on a compromised machine.[19]

G0117

Fox Kitten

Fox Kitten has accessed files to gain valid credentials.[20]

S0601

Hildegard

Hildegard has searched for SSH keys, Docker credentials, and Kubernetes service tokens.[3]

G0119

Indrik Spider

Indrik Spider has searched files to obtain and exfiltrate credentials.[21]

S0283

jRAT

jRAT can capture passwords from common chat applications such as MSN Messenger, AOL, Instant Messenger, and and Google Talk.[22]

G0094

Kimsuky

Kimsuky has used tools that are capable of obtaining credentials from saved mail.[23]

S0349

LaZagne

LaZagne can obtain credentials from chats, databases, mail, and WiFi.[24]

G0077

Leafminer

Leafminer used several tools for retrieving login and password information, including LaZagne.[25]

C0049

Leviathan Australian Intrusions

Leviathan gathered credentials stored in files related to Building Management System (BMS) operations during Leviathan Australian Intrusions.[26]

G0069

MuddyWater

MuddyWater has run a tool that steals passwords saved in victim email.[27]

G0049

OilRig

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[28][29][30][31]

S0067

pngdowner

If an initial connectivity check fails, pngdowner attempts to extract proxy details and credentials from Windows Protected Storage and from the IE Credentials Store. This allows the adversary to use the proxy credentials for subsequent requests if they enable outbound HTTP access.[32]

S0378

PoshC2

PoshC2 contains modules for searching for passwords in local and remote files.[33]

S0192

Pupy

Pupy can use Lazagne for harvesting credentials.[34]

S0583

Pysa

Pysa has extracted credentials from the password database before encrypting the files.[35]

S0262

QuasarRAT

QuasarRAT can obtain passwords from FTP clients.[36][37]

G1039

RedCurl

RedCurl used LaZagne to obtain passwords in files.[38][39]

G1015

Scattered Spider

Scattered Spider Spider searches for credential storage documentation on a compromised host.[40][41][42]

S9008

Shai-Hulud

Shai-Hulud has gathered sensitive data stored in the Node.JS file process.env to include credentials and API keys.[43][44][45] Shai-Hulud has harvested credentials stored in config files and credential files in victim environments to include ~/.aws/credentials, application_default_credentials.json, and azureProfile.json.[46][47][44][45] Shai-Hulud has also targeted credentials and tokens stored in NPM files .npmrc and GitHub config files.[46][47][44][45]

C0058

SharePoint ToolShell Exploitation

During SharePoint ToolShell Exploitation, threat actors accessed web.config and machine.config to extract MachineKey values, enabling them to forge legitimate VIEWSTATE tokens for future deserialization payloads.[48][49][50][51][52]

S0226

Smoke Loader

Smoke Loader searches for files named logins.json to parse for credentials.[53]

S1183

StrelaStealer

StrelaStealer searches for and if found collects the contents of files such as logins.json and key4.db in the $APPDATA%\Thunderbird\Profiles\ directory, associated with the Thunderbird email application.[54][55]

G0092

TA505

TA505 has used malware to gather credentials from FTP clients and Outlook.[56]

G0139

TeamTNT

TeamTNT has searched for unsecured AWS credentials and Docker API credentials.[57][58][59]

S0266

TrickBot

TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP.[60][61] Additionally, it searches for the ".vnc.lnk" affix to steal VNC credentials.[62]

S9009

TruffleHog

TruffleHog has obtained credentials stored in config files and credential files in victim environments.[63][46]

S0117

XTunnel

XTunnel is capable of accessing locally stored passwords on victims.[64]