T1552

Unsecured Credentials

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files, operating system or application-specific repositories, shell history files, private key files, cloud instance metadata APIs, container environment variables, and group policy preference files. Tools like LaZagne, NirSoft utilities, and custom scripts are commonly used to automate credential harvesting across multiple storage locations simultaneously.

Microsoft Sentinel / Defender

kusto

let CredentialFilePatterns = dynamic([
  "password", "passwd", "credentials", "creds", "secret", "apikey", "api_key",
  ".aws\\credentials", "unattend.xml", "sysprep.xml", "web.config",
  "id_rsa", "id_dsa", "id_ecdsa", "id_ed25519", ".pem", ".pfx", ".p12",
  "vnc.ini", "filezilla", "winscp.ini", "putty", "bash_history", ".ssh"
]);
let CredentialHarvestingTools = dynamic([
  "lazagne", "nirsoft", "netpass", "credentialfileview", "passwordfox",
  "webbrowserpassview", "mailpassview", "vaultpassview", "credentialsfileview",
  "mimikatz", "wce.exe", "pwdump", "fgdump", "gsecdump"
]);
let CredentialRegistryPaths = dynamic([
  "\\SOFTWARE\\ORL\\WinVNC3\\Password",
  "\\SOFTWARE\\TightVNC\\Server",
  "\\SOFTWARE\\RealVNC\\WinVNC4",
  "\\SYSTEM\\CurrentControlSet\\Services\\SNMP\\Parameters\\ValidCommunities",
  "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
  "\\SOFTWARE\\SimonTatham\\PuTTY\\Sessions",
  "\\SOFTWARE\\OpenSSH",
  "DefaultPassword", "AltDefaultPassword"
]);
// Branch 1: Suspicious file access patterns indicating credential file enumeration
let FileCredentialAccess = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileAccessed", "FileRead")
| where FolderPath has_any (CredentialFilePatterns) or FileName has_any (CredentialFilePatterns)
| where InitiatingProcessFileName !in~ ("svchost.exe", "SearchIndexer.exe", "MsMpEng.exe", "OneDrive.exe")
| extend DetectionBranch = "CredentialFileAccess"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, DetectionBranch;
// Branch 2: Known credential harvesting tools
let HarvestingTools = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (CredentialHarvestingTools)
   or ProcessCommandLine has_any (CredentialHarvestingTools)
   or InitiatingProcessFileName has_any (CredentialHarvestingTools)
| extend DetectionBranch = "CredentialHarvestingTool"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, DetectionBranch;
// Branch 3: Registry queries to credential storage locations
let RegistryCredentialQuery = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (CredentialRegistryPaths) or RegistryValueName has_any ("Password", "DefaultPassword", "AltDefaultPassword")
| where ActionType in ("RegistryKeyQueried", "RegistryValueQueried")
| where InitiatingProcessFileName !in~ ("svchost.exe", "lsass.exe", "services.exe")
| extend DetectionBranch = "RegistryCredentialQuery"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
         FileName=InitiatingProcessFileName, ProcessCommandLine=InitiatingProcessCommandLine,
         InitiatingProcessFileName=InitiatingProcessParentFileName,
         InitiatingProcessCommandLine=InitiatingProcessParentCommandLine,
         InitiatingProcessParentFileName="", DetectionBranch;
// Branch 4: PowerShell or cmd searching for credential content in files
let ScriptedCredentialSearch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "bash", "sh")
| where ProcessCommandLine has_any (
    "Get-Content", "gc ", "cat ", "type ", "findstr", "grep",
    "Select-String", "sls "
  )
  and ProcessCommandLine has_any (
    "password", "passwd", "credentials", "secret", "apikey", "api_key",
    "connectionstring", "pwd", "passw"
  )
| extend DetectionBranch = "ScriptedCredentialSearch"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, DetectionBranch;
union FileCredentialAccess, HarvestingTools, RegistryCredentialQuery, ScriptedCredentialSearch
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Access Process: Process Creation Windows Registry: Windows Registry Key Access Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents DeviceRegistryEvents

False Positives

Password managers (KeePass, Bitwarden, 1Password desktop) legitimately accessing their own credential files
SSH clients (PuTTY, OpenSSH, WinSCP) reading .pem or known_hosts files as part of normal connection workflow
Configuration management tools (Ansible, Puppet, Chef) reading web.config or unattend.xml during deployments
Security scanners (Tenable, Qualys) that enumerate credential file locations as part of vulnerability assessments
Backup software reading all file types including credential-related files as part of scheduled backup jobs

Splunk

spl

| union
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (CommandLine="*password*" OR CommandLine="*passwd*" OR CommandLine="*credentials*" OR CommandLine="*secret*" OR CommandLine="*apikey*" OR CommandLine="*api_key*")
  (CommandLine="*findstr*" OR CommandLine="*Get-Content*" OR CommandLine="*Select-String*" OR CommandLine="*grep*" OR CommandLine="* type *" OR CommandLine="*cat *")
  | eval DetectionBranch="ScriptedCredentialSearch"
  | eval RiskScore=25
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionBranch, RiskScore
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*lazagne*" OR Image="*netpass*" OR Image="*passwordfox*" OR Image="*webbrowserpassview*" OR Image="*vaultpassview*" OR Image="*credentialfileview*" OR Image="*mailpassview*")
  OR (CommandLine="*lazagne*" OR CommandLine="*netpass*" OR CommandLine="*nirsoft*")
  | eval DetectionBranch="CredentialHarvestingTool"
  | eval RiskScore=75
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionBranch, RiskScore
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
  (TargetObject="*\\WinVNC3\\Password*" OR TargetObject="*\\TightVNC\\Server*" OR TargetObject="*\\RealVNC*" OR TargetObject="*Winlogon*DefaultPassword*" OR TargetObject="*PuTTY\\Sessions*" OR TargetObject="*SNMP*ValidCommunities*")
  | eval DetectionBranch="RegistryCredentialAccess"
  | eval RiskScore=50
  | table _time, host, User, Image, CommandLine, TargetObject, Details, ParentImage, DetectionBranch, RiskScore
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  (TargetFilename="*.pem" OR TargetFilename="*.pfx" OR TargetFilename="*.p12" OR TargetFilename="*id_rsa*" OR TargetFilename="*id_dsa*" OR TargetFilename="*id_ecdsa*" OR TargetFilename="*unattend.xml" OR TargetFilename="*credentials" OR TargetFilename="*vnc.ini" OR TargetFilename="*winscp.ini")
  NOT (Image="*\\svchost.exe" OR Image="*\\SearchIndexer.exe" OR Image="*\\MsMpEng.exe")
  | eval DetectionBranch="CredentialFileCreatedOrAccessed"
  | eval RiskScore=40
  | table _time, host, User, Image, TargetFilename, CommandLine, ParentImage, DetectionBranch, RiskScore
]
| eval Severity=case(RiskScore >= 75, "Critical", RiskScore >= 50, "High", RiskScore >= 25, "Medium", true(), "Low")
| sort - RiskScore, - _time

high severity medium confidence

Data Sources

Process: Process Creation Windows Registry: Windows Registry Key Access File: File Creation Command: Command Execution Sysmon Event IDs 1, 11, 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Password managers reading their own encrypted credential stores during normal operation
SSH tooling (PuTTY, OpenSSH for Windows, WinSCP) accessing .pem and known_hosts files during connection establishment
Backup and archival software accessing all file types including private keys and configuration files
DevOps pipeline agents reading web.config, unattend.xml, or credential files during CI/CD deployments
IT provisioning scripts using findstr or Select-String to validate configuration file contents post-deployment

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  any where
  (
    (event.category == "process" and event.type == "start" and
     (
       process.name : ("lazagne.exe", "netpass.exe", "passwordfox.exe", "webbrowserpassview.exe",
                        "vaultpassview.exe", "credentialfileview.exe", "mailpassview.exe",
                        "mimikatz.exe", "wce.exe", "pwdump*.exe", "fgdump.exe", "gsecdump.exe")
       or process.command_line : ("*lazagne*", "*nirsoft*", "*netpass*", "*mimikatz*")
     )
    )
    or
    (event.category == "file" and event.type in ("access", "creation") and
     (
       file.path : ("*password*", "*passwd*", "*credentials*", "*creds*", "*secret*",
                    "*apikey*", "*api_key*", "*.aws*credentials*", "*unattend.xml",
                    "*sysprep.xml", "*id_rsa*", "*id_dsa*", "*id_ecdsa*", "*id_ed25519*",
                    "*.pem", "*.pfx", "*.p12", "*vnc.ini", "*filezilla*", "*winscp.ini",
                    "*putty*", "*.bash_history", "*.ssh*", "*web.config")
       and not process.name : ("svchost.exe", "SearchIndexer.exe", "MsMpEng.exe", "OneDrive.exe")
     )
    )
    or
    (event.category == "registry" and
     registry.path : ("*WinVNC3*Password*", "*TightVNC*Server*", "*RealVNC*WinVNC4*",
                       "*SNMP*ValidCommunities*", "*Winlogon*DefaultPassword*",
                       "*PuTTY*Sessions*", "*OpenSSH*")
     and not process.name : ("svchost.exe", "lsass.exe", "services.exe")
    )
    or
    (event.category == "process" and event.type == "start" and
     process.name : ("powershell.exe", "pwsh.exe", "cmd.exe", "bash", "sh") and
     process.command_line : ("*Get-Content*", "*findstr*", "*Select-String*", "*grep*", "* type *", "*cat *") and
     process.command_line : ("*password*", "*passwd*", "*credentials*", "*secret*", "*apikey*", "*api_key*", "*connectionstring*", "*passw*")
    )
  )
]

high severity high confidence

Data Sources

Endpoint (Elastic Agent) Windows Event Logs via Winlogbeat Sysmon via Filebeat

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* logs-endpoint.events.registry-* logs-windows.sysmon_operational-*

False Positives

Security administrators running legitimate credential auditing tools such as CyberArk discovery scanners or privileged access management agents that access SSH key paths
Backup agents (Veeam, Acronis) reading configuration files containing connection strings or API keys as part of scheduled backup jobs
Developer tooling (Git credential helpers, AWS CLI configuration checks, IDE plugins) accessing .aws/credentials or .ssh config files during normal software development workflows
IT compliance tools performing configuration baseline checks that read Winlogon registry keys or enumerate PuTTY session configurations

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  username,
  "sourceip",
  QIDNAME(qid) AS event_name,
  "EventID",
  "CommandLine",
  "Image" AS process_image,
  "ParentImage" AS parent_image,
  "TargetObject" AS registry_target,
  "TargetFilename" AS target_filename,
  CASE
    WHEN "Image" IMATCHES '(?i).*(lazagne|netpass|passwordfox|webbrowserpassview|vaultpassview|credentialfileview|mailpassview|mimikatz|wce\.exe|pwdump|fgdump|gsecdump).*' THEN 'CredentialHarvestingTool'
    WHEN "EventID" = '13' AND "TargetObject" IMATCHES '(?i).*(WinVNC3.Password|TightVNC.Server|RealVNC|Winlogon.DefaultPassword|PuTTY.Sessions|SNMP.ValidCommunities|OpenSSH).*' THEN 'RegistryCredentialAccess'
    WHEN "EventID" = '11' AND "TargetFilename" IMATCHES '(?i).*(\.pem|\.pfx|\.p12|id_rsa|id_dsa|id_ecdsa|unattend\.xml|credentials|vnc\.ini|winscp\.ini|\.bash_history|\.aws).*' THEN 'CredentialFileAccess'
    WHEN "EventID" = '1' AND "CommandLine" IMATCHES '(?i).*(Get-Content|findstr|Select-String|grep|\btype\b|\bcat\b).*(password|passwd|credentials|secret|apikey|api_key|connectionstring|passw).*' THEN 'ScriptedCredentialSearch'
    ELSE 'Unknown'
  END AS detection_branch,
  CASE
    WHEN "Image" IMATCHES '(?i).*(lazagne|mimikatz|pwdump|wce\.exe).*' THEN 75
    WHEN "EventID" = '13' AND "TargetObject" IMATCHES '(?i).*(Winlogon.DefaultPassword|WinVNC3).*' THEN 60
    WHEN "EventID" = '11' AND "TargetFilename" IMATCHES '(?i).*(id_rsa|\.pem|\.pfx).*' THEN 50
    WHEN "EventID" = '1' AND "CommandLine" IMATCHES '(?i).*(password|passwd|secret).*' THEN 30
    ELSE 20
  END AS risk_score
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 119, 143)
  AND starttime > NOW() - 86400000
  AND (
    "Image" IMATCHES '(?i).*(lazagne|netpass|passwordfox|webbrowserpassview|vaultpassview|credentialfileview|mailpassview|mimikatz|wce\.exe|pwdump|fgdump|gsecdump).*'
    OR "CommandLine" IMATCHES '(?i).*(lazagne|netpass|nirsoft|mimikatz).*'
    OR (
      "EventID" = '13'
      AND "TargetObject" IMATCHES '(?i).*(WinVNC3|TightVNC|RealVNC|Winlogon.*DefaultPassword|PuTTY.*Sessions|SNMP.*ValidCommunities|OpenSSH).*'
      AND "Image" NOT IMATCHES '(?i).*(svchost|lsass|services)\.exe.*'
    )
    OR (
      "EventID" = '11'
      AND "TargetFilename" IMATCHES '(?i).*(\.pem|\.pfx|\.p12|id_rsa|id_dsa|id_ecdsa|unattend\.xml|credentials|vnc\.ini|winscp\.ini|\.bash_history).*'
      AND "Image" NOT IMATCHES '(?i).*(svchost|SearchIndexer|MsMpEng|OneDrive)\.exe.*'
    )
    OR (
      "EventID" = '1'
      AND "Image" IMATCHES '(?i).*(powershell|pwsh|cmd|bash|sh).*'
      AND "CommandLine" IMATCHES '(?i).*(Get-Content|findstr|Select-String|grep|\btype\b|cat ).*'
      AND "CommandLine" IMATCHES '(?i).*(password|passwd|credentials|secret|apikey|api_key|connectionstring|passw).*'
    )
  )
ORDER BY risk_score DESC, starttime DESC

high severity high confidence

Data Sources

Sysmon Operational Log (EventIDs 1, 11, 13) Windows Security Event Log QRadar Endpoint DSM

Required Tables

events

False Positives

Privileged access management (PAM) solutions such as BeyondTrust or CyberArk performing scheduled credential vault discovery may trigger registry and file-based detection branches
System administrators using SysInternals tools or PowerShell remoting to audit SSH key presence and rotation compliance across managed hosts
Antivirus or EDR agents (Carbon Black, Cortex XDR) scanning for credential files as part of on-access or scheduled threat hunting routines

Sumo Logic CSE

sql

// Branch 1: Credential Harvesting Tool Execution
(_sourceCategory="windows/sysmon" OR _sourceCategory="endpoints/sysmon")
| parse xml field=_raw "<EventID>*</EventID>" as EventID
| parse xml field=_raw "<Data Name='Image'>*</Data>" as Image nodrop
| parse xml field=_raw "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse xml field=_raw "<Data Name='ParentImage'>*</Data>" as ParentImage nodrop
| parse xml field=_raw "<Data Name='User'>*</Data>" as User nodrop
| parse xml field=_raw "<Data Name='Computer'>*</Data>" as Computer nodrop
| parse xml field=_raw "<Data Name='TargetObject'>*</Data>" as TargetObject nodrop
| parse xml field=_raw "<Data Name='TargetFilename'>*</Data>" as TargetFilename nodrop
| where EventID in ("1", "11", "13")
| where
  (
    EventID == "1" and (
      matches(Image, "(?i).*(lazagne|netpass|passwordfox|webbrowserpassview|vaultpassview|credentialfileview|mailpassview|mimikatz|wce\.exe|pwdump|fgdump|gsecdump).*")
      or matches(CommandLine, "(?i).*(lazagne|nirsoft|netpass|mimikatz).*")
    )
  )
  or
  (
    EventID == "13" and
    matches(TargetObject, "(?i).*(WinVNC3.*Password|TightVNC.*Server|RealVNC|Winlogon.*DefaultPassword|PuTTY.*Sessions|SNMP.*ValidCommunities|OpenSSH).*")
    and !matches(Image, "(?i).*(svchost|lsass|services)\.exe.*")
  )
  or
  (
    EventID == "11" and
    matches(TargetFilename, "(?i).*(\.pem|\.pfx|\.p12|id_rsa|id_dsa|id_ecdsa|unattend\.xml|credentials|vnc\.ini|winscp\.ini|\.bash_history|\.aws).*")
    and !matches(Image, "(?i).*(svchost|SearchIndexer|MsMpEng|OneDrive)\.exe.*")
  )
  or
  (
    EventID == "1" and
    matches(Image, "(?i).*(powershell|pwsh|cmd|bash|sh).*") and
    matches(CommandLine, "(?i).*(Get-Content|findstr|Select-String|grep|\btype\b|cat ).*") and
    matches(CommandLine, "(?i).*(password|passwd|credentials|secret|apikey|api_key|connectionstring|passw).*")
  )
| eval DetectionBranch = if(EventID == "1" and matches(Image, "(?i).*(lazagne|mimikatz|pwdump|netpass).*"), "CredentialHarvestingTool",
    if(EventID == "13", "RegistryCredentialAccess",
    if(EventID == "11", "CredentialFileAccess", "ScriptedCredentialSearch")))
| eval RiskScore = if(DetectionBranch == "CredentialHarvestingTool", 75,
    if(DetectionBranch == "RegistryCredentialAccess", 50,
    if(DetectionBranch == "CredentialFileAccess", 40, 25)))
| eval Severity = if(RiskScore >= 75, "Critical",
    if(RiskScore >= 50, "High",
    if(RiskScore >= 25, "Medium", "Low")))
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, TargetObject, TargetFilename, DetectionBranch, RiskScore, Severity
| sort by RiskScore desc, _messageTime desc

high severity high confidence

Data Sources

Sysmon Operational Events (Windows) Sumo Logic Windows Collection Agent

Required Tables

windows/sysmon endpoints/sysmon

False Positives

Enterprise password managers (1Password, Bitwarden, KeePass) accessing their encrypted vault files may match credential file path patterns if stored in user home directories
CI/CD pipeline agents (Jenkins, GitHub Actions runner) reading application configuration files such as web.config or environment files containing connection strings during build processes
IT infrastructure management tools (Puppet, Chef, Ansible) using PowerShell modules to read or validate configuration files that contain service account credentials

Google Chronicle / SecOps

yaral

rule t1552_unsecured_credentials_access {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1552 Unsecured Credentials access via credential harvesting tool execution, sensitive file access, registry credential path queries, and scripted credential searches"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1552"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1552/"
    platform = "Windows"
    rule_version = "1.0"

  events:
    (
      // Branch 1: Known credential harvesting tools
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        re.regex($e.principal.process.file.full_path, `(?i)(lazagne|netpass\.exe|passwordfox|webbrowserpassview|vaultpassview|credentialfileview|mailpassview|mimikatz|wce\.exe|pwdump|fgdump|gsecdump)`) or
        re.regex($e.target.process.command_line, `(?i)(lazagne|nirsoft|netpass|mimikatz)`)
      )
    ) or
    (
      // Branch 2: Credential file access (file create/read events)
      $e.metadata.event_type = "FILE_OPEN" and
      re.regex($e.target.file.full_path, `(?i)(\.pem$|\.pfx$|\.p12$|id_rsa|id_dsa|id_ecdsa|id_ed25519|unattend\.xml|sysprep\.xml|vnc\.ini|filezilla|winscp\.ini|putty|\.bash_history|\.aws[/\\]credentials|web\.config|password|passwd|credentials|creds|secret|apikey|api_key|\.ssh[/\\])`) and
      not re.regex($e.principal.process.file.full_path, `(?i)(svchost\.exe|SearchIndexer\.exe|MsMpEng\.exe|OneDrive\.exe)`)
    ) or
    (
      // Branch 3: Registry credential path queries
      $e.metadata.event_type = "REGISTRY_OPEN_KEY" and
      re.regex($e.target.registry.registry_key, `(?i)(WinVNC3[/\\]Password|TightVNC[/\\]Server|RealVNC[/\\]WinVNC4|SNMP[/\\]Parameters[/\\]ValidCommunities|Winlogon[/\\](Default|AltDefault)Password|PuTTY[/\\]Sessions|OpenSSH)`) and
      not re.regex($e.principal.process.file.full_path, `(?i)(svchost\.exe|lsass\.exe|services\.exe)`)
    ) or
    (
      // Branch 4: Scripted credential searches via shell/PowerShell
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|bash|\bsh\b)`) and
      re.regex($e.target.process.command_line, `(?i)(Get-Content|findstr|Select-String|grep|\btype\b|\bcat\b)`) and
      re.regex($e.target.process.command_line, `(?i)(password|passwd|credentials|secret|apikey|api_key|connectionstring|pwd|passw)`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Endpoint Forwarder (UDM) Sysmon via Chronicle Forwarder

Required Tables

UDM Events (PROCESS_LAUNCH, FILE_OPEN, REGISTRY_OPEN_KEY)

False Positives

Endpoint detection response (EDR) solutions with built-in credential access detection may generate PROCESS_LAUNCH events for their own scanning modules that match tool name patterns
SSH key rotation scripts executed by configuration management platforms (SaltStack, Ansible Tower) will match file access patterns when reading or replacing id_rsa and id_ecdsa key files
Application secrets scanning tools integrated into developer workstations (git-secrets, truffleHog) trigger scripted credential search detection when performing pre-commit hooks that grep for secret patterns

CrowdStrike LogScale (CQL)

cql

// T1552 Unsecured Credentials Detection — CrowdStrike LogScale CQL
// Branch 1: Credential Harvesting Tool Execution
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(lazagne|netpass\.exe|passwordfox|webbrowserpassview|vaultpassview|credentialfileview|mailpassview|mimikatz|wce\.exe|pwdump|fgdump\.exe|gsecdump)/
OR CommandLine = /(?i)(lazagne|nirsoft|netpass|mimikatz)/
| eval DetectionBranch="CredentialHarvestingTool"
| eval RiskScore=75

| union [
  // Branch 2: Credential File Access
  #event_simpleName=SuspiciousFilePath OR #event_simpleName=ManagedAssets
  | TargetFileName = /(?i)(\.pem$|\.pfx$|\.p12$|id_rsa|id_dsa|id_ecdsa|id_ed25519|unattend\.xml|vnc\.ini|filezilla|winscp\.ini|\.bash_history|\.aws.credentials|web\.config|password|passwd|credentials|creds|secret|apikey|api_key)/
  | ImageFileName != /(?i)(svchost\.exe|SearchIndexer\.exe|MsMpEng\.exe|OneDrive\.exe)/
  | eval DetectionBranch="CredentialFileAccess"
  | eval RiskScore=40
]

| union [
  // Branch 3: Registry Credential Path Query
  #event_simpleName=RegQueryValue OR #event_simpleName=RegOpenKey
  | RegObjectName = /(?i)(WinVNC3.Password|TightVNC.Server|RealVNC.WinVNC4|SNMP.ValidCommunities|Winlogon.DefaultPassword|PuTTY.Sessions|OpenSSH)/
  | ImageFileName != /(?i)(svchost\.exe|lsass\.exe|services\.exe)/
  | eval DetectionBranch="RegistryCredentialAccess"
  | eval RiskScore=50
]

| union [
  // Branch 4: Scripted Credential Search via Shell
  #event_simpleName=ProcessRollup2
  | ImageFileName = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|bash|\bsh\.exe)/
  | CommandLine = /(?i)(Get-Content|findstr|Select-String|grep|\btype\b|\bcat\b)/
  | CommandLine = /(?i)(password|passwd|credentials|secret|apikey|api_key|connectionstring|passw)/
  | eval DetectionBranch="ScriptedCredentialSearch"
  | eval RiskScore=25
]

| eval Severity=if(RiskScore >= 75, "Critical",
    if(RiskScore >= 50, "High",
    if(RiskScore >= 25, "Medium", "Low")))
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionBranch, RiskScore, Severity])
| sort(RiskScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Sensor Falcon ProcessRollup2 Events Falcon Registry Events Falcon File Events

Required Tables

ProcessRollup2 SuspiciousFilePath RegQueryValue RegOpenKey

False Positives

CrowdStrike Falcon's own sensor processes or Real-Time Response (RTR) sessions accessing credential file paths during forensic investigations or threat hunting operations initiated by security teams
Legitimate software deployment tools (SCCM, Intune) reading unattend.xml or sysprep.xml files during OS deployment or imaging workflows on endpoints
Developers using Windows Subsystem for Linux (WSL) with bash to manage SSH keys or AWS CLI profiles will trigger scripted credential search detection when running key management commands

Last updated: 2026-04-13 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1552 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Unsecured Credentials

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (8)

Same Tactic: Credential Access

Popular Detections