T1552.001

Credentials In Files

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These include user-created credential files, shared credential stores, configuration files with embedded passwords, and source code containing hardcoded credentials. Threat actors and malware including Emotet, APT33, LaZagne, Pupy, PoshC2, and Smoke Loader actively search for credential files. Commonly targeted files include web.config, applicationHost.config, .htaccess, unattend.xml (Group Policy Preferences), cloud credential files (~/.aws/credentials, ~/.azure/accessTokens.json), and any plaintext files with 'password' in the content.

Microsoft Sentinel / Defender

kusto

// Detect credential file search and access
let CredentialFilePaths = dynamic([
  ".aws/credentials", ".azure", "accessTokens.json", "credentials.json",
  "unattend.xml", "sysprep.xml", "web.config", "applicationHost.config",
  "passwd", "shadow", ".htpasswd", "id_rsa", "id_ecdsa", "id_ed25519",
  "ConsoleHost_history.txt", ".bash_history", ".zsh_history",
  "KeePass", "1Password", "passwords.txt", "creds.txt", "logins.json"
]);
let SearchToolPatterns = dynamic([
  "findstr", "Select-String", "grep", "dir /s", "Get-ChildItem",
  "type ", "cat ", "LaZagne", "mimikatz"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
// Credential file access via search tools
| where ProcessCommandLine has_any (CredentialFilePaths)
    and ProcessCommandLine has_any (SearchToolPatterns)
| extend SearchTool = case(
    ProcessCommandLine has "findstr", "findstr",
    ProcessCommandLine has "Select-String", "Select-String",
    ProcessCommandLine has "Get-ChildItem", "Get-ChildItem",
    ProcessCommandLine has "LaZagne", "LaZagne",
    "Other"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, SearchTool
| union (
    // Detect direct file access to known credential file locations
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where ActionType == "FileRead" or ActionType == "FileAccessed"
    | where FolderPath has_any (".ssh", ".aws", ".azure", "PSReadline",
                               "Unattend", "SYSVOL", "sysprep")
        and (FileName has_any ("credentials", "password", "id_rsa", "history",
                               "unattend", "sysprep", "accessTokens") or
             FileName endswith ".pem" or FileName endswith ".ppk" or
             FileName endswith ".p12" or FileName endswith ".pfx")
    | where InitiatingProcessFileName !in~ ("explorer.exe", "OneDrive.exe", "backup.exe")
    | project Timestamp, DeviceName, InitiatingProcessAccountName, FolderPath, FileName,
             InitiatingProcessFileName, InitiatingProcessCommandLine
)
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution File: File Access

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Backup agents legitimately reading configuration files and credential stores as part of system backup operations
Security scanning tools (Tenable, Qualys) that enumerate credential files during vulnerability assessments
Configuration management tools (Ansible, Chef, Puppet) reading configuration files including those containing credentials
Password managers and single sign-on agents that legitimately access credential file locations
IT auditing scripts that scan for hardcoded credentials as a security best practice enforcement measure

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start" and (
    (process.name in ("findstr.exe", "grep", "grep.exe") and
      process.args : ("*password*", "*passwd*", "*cred*", "*unattend*", "*web.config*", "*.pem*", "*.pfx*", "*.ppk*")) or
    (process.name in ("powershell.exe", "pwsh.exe") and
      process.args : ("*Select-String*", "*Get-ChildItem*", "*Get-Content*") and
      process.args : ("*password*", "*credentials*", "*.pem*", "*.pfx*", "*.ppk*", "*id_rsa*")) or
    (process.name == "cmd.exe" and
      process.args : ("*dir*") and
      process.args : ("*password*", "*cred*", "*credentials*")) or
    (process.name : ("lazagne.exe", "mimikatz.exe")) or
    (process.args : ("*lazagne*", "*mimikatz*"))
  )] by process.entity_id
  [file where event.action in ("open", "read", "accessed") and
    (
      file.path : ("*\\.ssh\\*", "*\\.aws\\credentials*", "*\\.azure\\*",
                   "*ConsoleHost_history.txt*", "*Unattend.xml*", "*sysprep.xml*",
                   "*web.config*", "*applicationHost.config*", "*\\.htpasswd*",
                   "*\\id_rsa*", "*\\id_ecdsa*", "*\\id_ed25519*",
                   "*accessTokens.json*", "*credentials.json*",
                   "*passwords.txt*", "*creds.txt*", "*logins.json*") or
      file.extension in ("pem", "ppk", "p12", "pfx", "key")
    ) and
    not process.name in~ ("explorer.exe", "OneDrive.exe", "backup.exe", "svchost.exe")
  ] by process.entity_id

OR

any where event.category == "file" and
  event.action in ("open", "read", "accessed") and
  (
    file.path : ("*\\.ssh\\*", "*\\.aws\\credentials*", "*\\.azure\\accessTokens.json*",
                 "*ConsoleHost_history.txt*", "*Unattend.xml*", "*sysprep.xml*",
                 "*web.config*", "*applicationHost.config*",
                 "*\\id_rsa", "*\\id_ecdsa", "*\\id_ed25519",
                 "*passwords.txt", "*creds.txt", "*logins.json",
                 "*accessTokens.json", "*credentials.json",
                 "*KeePass*", "*1Password*") or
    file.extension in ("pem", "ppk", "p12", "pfx")
  ) and
  not process.name in~ ("explorer.exe", "OneDrive.exe", "backup.exe", "svchost.exe", "taskhostw.exe")

high severity high confidence

Data Sources

Elastic Endpoint Security Auditbeat Filebeat (Windows Event Logs)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Legitimate IT administrators auditing credential files for compliance or rotation purposes using the same tooling
Backup solutions and configuration management tools (Ansible, Puppet, Chef) that legitimately read configuration files containing credentials during deployment or backup operations
Developer workflows that read .aws/credentials, SSH keys, or application config files as part of normal development or CI/CD pipeline operations
Security scanning tools (Tenable, Qualys, Nessus agents) that may enumerate config files during vulnerability assessments

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  "Message" AS raw_message,
  CATEGORYNAME(category) AS category_name
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 14, 15, 314)
  AND starttime > NOW() - 86400000
  AND (
    -- Credential file search via common tools
    (
      QIDNAME(qid) LIKE '%Process%Create%'
      AND (
        (
          LOWER("Message") LIKE '%findstr%'
          AND (
            LOWER("Message") LIKE '%password%'
            OR LOWER("Message") LIKE '%passwd%'
            OR LOWER("Message") LIKE '%unattend%'
            OR LOWER("Message") LIKE '%web.config%'
            OR LOWER("Message") LIKE '%credentials%'
            OR LOWER("Message") LIKE '%.pem%'
            OR LOWER("Message") LIKE '%.pfx%'
          )
        )
        OR (
          LOWER("Message") LIKE '%powershell%'
          AND (
            LOWER("Message") LIKE '%select-string%'
            OR LOWER("Message") LIKE '%get-childitem%'
            OR LOWER("Message") LIKE '%get-content%'
          )
          AND (
            LOWER("Message") LIKE '%password%'
            OR LOWER("Message") LIKE '%credentials%'
            OR LOWER("Message") LIKE '%id_rsa%'
            OR LOWER("Message") LIKE '%.pem%'
            OR LOWER("Message") LIKE '%.pfx%'
            OR LOWER("Message") LIKE '%.ppk%'
          )
        )
        OR LOWER("Message") LIKE '%lazagne%'
        OR LOWER("Message") LIKE '%mimikatz%'
        OR (
          LOWER("Message") LIKE '%cmd.exe%'
          AND LOWER("Message") LIKE '%dir %'
          AND (
            LOWER("Message") LIKE '%password%'
            OR LOWER("Message") LIKE '%credentials%'
          )
        )
      )
    )
    OR
    -- Direct access to known credential file paths
    (
      QIDNAME(qid) LIKE '%File%'
      AND (
        LOWER("Message") LIKE '%\.ssh\%'
        OR LOWER("Message") LIKE '%\.aws\credentials%'
        OR LOWER("Message") LIKE '%\.azure\%'
        OR LOWER("Message") LIKE '%consoleshost_history.txt%'
        OR LOWER("Message") LIKE '%unattend.xml%'
        OR LOWER("Message") LIKE '%sysprep.xml%'
        OR LOWER("Message") LIKE '%web.config%'
        OR LOWER("Message") LIKE '%applicationhost.config%'
        OR LOWER("Message") LIKE '%\id_rsa%'
        OR LOWER("Message") LIKE '%accesstokens.json%'
        OR LOWER("Message") LIKE '%credentials.json%'
        OR LOWER("Message") LIKE '%passwords.txt%'
        OR LOWER("Message") LIKE '%creds.txt%'
        OR LOWER("Message") LIKE '%logins.json%'
        OR LOWER("Message") LIKE '%.ppk%'
        OR LOWER("Message") LIKE '%.p12%'
        OR LOWER("Message") LIKE '%.pfx%'
      )
      AND NOT (
        LOWER("Message") LIKE '%explorer.exe%'
        OR LOWER("Message") LIKE '%onedrive.exe%'
        OR LOWER("Message") LIKE '%backup.exe%'
      )
    )
  )
ORDER BY starttime DESC
LIMIT 1000

high severity medium confidence

Data Sources

Windows Security Event Log Sysmon Linux Audit Log (auditd) EDR log sources

Required Tables

events

False Positives

Legitimate system administrators using findstr or PowerShell cmdlets to audit or validate presence of credential files as part of security review or credential rotation workflows
Configuration management and orchestration tools (Ansible, Puppet, Chef, SCCM) that enumerate configuration files containing credentials during managed deployments
Developer toolchains and IDEs that access .aws/credentials, SSH keys, or other credential stores during normal application development, testing, or CI/CD pipeline execution

Sumo Logic CSE

sql

// Credential File Search and Access Detection - T1552.001
(_sourceCategory="*WinEventLog*" OR _sourceCategory="*Sysmon*" OR _sourceCategory="*endpoint*")
| parse "Image=*\\\\*" as process_path, process_name nodrop
| parse "CommandLine=*" as command_line nodrop
| parse "TargetFilename=*" as target_file nodrop
| parse "User=*" as user nodrop
| parse "Computer=*" as host nodrop
| parse "EventCode=*" as event_code nodrop
| where (
    // Credential file search via process activity (Sysmon EID 1 / Security EID 4688)
    (
      event_code in ("1", "4688")
      and (
        (
          process_name matches "(?i)(findstr\\.exe|grep\\.exe|grep)"
          and (
            command_line matches "(?i)(password|passwd|credential|unattend|sysprep|web\\.config|\\.pem|\\.pfx|\\.ppk|id_rsa)"
          )
        )
        or (
          process_name matches "(?i)(powershell\\.exe|pwsh\\.exe)"
          and command_line matches "(?i)(Select-String|Get-ChildItem|Get-Content)"
          and command_line matches "(?i)(password|credentials|id_rsa|\\.pem|\\.pfx|\\.ppk|accessTokens|logins\\.json)"
        )
        or (
          process_name matches "(?i)(cmd\\.exe)"
          and command_line matches "(?i)dir "
          and command_line matches "(?i)(password|credentials|cred)"
        )
        or command_line matches "(?i)(lazagne|mimikatz)"
        or process_name matches "(?i)(lazagne\\.exe|mimikatz\\.exe)"
      )
    )
    or
    // Direct credential file access (Sysmon EID 11)
    (
      event_code == "11"
      and (
        target_file matches "(?i)(\\.ssh[\\/]|credentials|\\.aws[\\/]credentials|\\.azure[\\/]|ConsoleHost_history\.txt|Unattend\.xml|sysprep\.xml|web\.config|applicationHost\.config|id_rsa|id_ecdsa|id_ed25519|accessTokens\.json|credentials\.json|passwords\.txt|creds\.txt|logins\.json|KeePass|1Password|\.ppk|\.pfx|\.p12|\.pem)"
      )
      and not process_name matches "(?i)(explorer\.exe|OneDrive\.exe|backup\.exe|svchost\.exe)"
    )
  )
| eval alert_type = if(event_code in ("1","4688"), "CredentialFileSearch", "CredentialFileAccess")
| count by _messageTime, host, user, process_name, command_line, target_file, alert_type
| sort by _messageTime desc

high severity high confidence

Data Sources

Sysmon (Windows) Windows Security Event Log Sumo Logic Cloud SIEM

Required Tables

_sourceCategory=*WinEventLog* _sourceCategory=*Sysmon*

False Positives

IT administrators and security teams performing credential audits or using tools like findstr and PowerShell to validate credential file locations for compliance and rotation activities
Application deployments and CI/CD pipelines that access .aws/credentials, SSH keys, or service account credential files as part of legitimate build and deployment workflows
Password manager applications (KeePass, 1Password) opening their own credential database files during normal user operation

Google Chronicle / SecOps

yaral

rule t1552_001_credentials_in_files {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects adversary searches for credentials stored in files via common enumeration tools and direct access to known credential file locations. Covers T1552.001 - Credentials In Files."
    mitre_attack_technique = "T1552.001"
    mitre_attack_tactic = "Credential Access"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1552/001/"
    created = "2026-04-21"

  events:
    (
      // Pattern 1: Credential search tool execution with credential file arguments
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        (
          re.regex($e1.principal.process.file.full_path, `(?i)(findstr\.exe|grep\.exe)$`)
          and re.regex($e1.target.process.command_line, `(?i)(password|passwd|credential|unattend|sysprep|web\.config|\.pem|\.pfx|\.ppk|id_rsa)`)
        )
        or (
          re.regex($e1.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)$`)
          and re.regex($e1.target.process.command_line, `(?i)(Select-String|Get-ChildItem|Get-Content)`)
          and re.regex($e1.target.process.command_line, `(?i)(password|credentials|id_rsa|\.pem|\.pfx|\.ppk|accessTokens|logins\.json)`)
        )
        or (
          re.regex($e1.principal.process.file.full_path, `(?i)(cmd\.exe)$`)
          and re.regex($e1.target.process.command_line, `(?i)dir\s`)
          and re.regex($e1.target.process.command_line, `(?i)(password|credentials|cred)`)
        )
        or re.regex($e1.target.process.command_line, `(?i)(lazagne|mimikatz)`)
        or re.regex($e1.target.process.file.full_path, `(?i)(lazagne\.exe|mimikatz\.exe)$`)
      )
    )
    or
    (
      // Pattern 2: Direct file access to known credential file locations
      $e1.metadata.event_type = "FILE_OPEN"
      and (
        re.regex($e1.target.file.full_path, `(?i)([\\/]\.ssh[\\/]|[\\/]\.aws[\\/]credentials|[\\/]\.azure[\\/]|ConsoleHost_history\.txt|Unattend\.xml|sysprep\.xml|web\.config|applicationHost\.config|[\\/]id_rsa$|[\\/]id_ecdsa$|[\\/]id_ed25519$|accessTokens\.json|credentials\.json|passwords\.txt|creds\.txt|logins\.json)`)
        or re.regex($e1.target.file.full_path, `(?i)\.(ppk|p12|pfx|pem)$`)
      )
      and not re.regex($e1.principal.process.file.full_path, `(?i)(explorer\.exe|OneDrive\.exe|backup\.exe|svchost\.exe|taskhostw\.exe)$`)
    )

  condition:
    $e1
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows Event Logs (via Chronicle forwarder) EDR telemetry (via Chronicle integration)

Required Tables

PROCESS_LAUNCH UDM events FILE_OPEN UDM events

False Positives

Security engineers running authorized credential audits using findstr or PowerShell to locate and inventory credential files for security assessments or hardening exercises
DevOps pipelines and infrastructure-as-code tools that read cloud credential files (.aws/credentials, service account JSON files) during resource provisioning and configuration management
Password manager software and credential management applications that access their own database files and synced credential stores during normal operation

CrowdStrike LogScale (CQL)

cql

// T1552.001 - Credentials In Files: Search and Access Detection

// Pattern 1: Credential file search via enumeration tools
#event_simpleName = "ProcessRollup2"
| CommandLine = /(?i)(findstr|Select-String|Get-ChildItem|Get-Content|grep)/
| CommandLine = /(?i)(password|passwd|credential|unattend|sysprep|web\.config|\.pem|\.pfx|\.ppk|id_rsa|accessTokens|logins\.json|creds\.txt)/
| table([_time, ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName, ParentCommandLine])

OR

// Pattern 2: LaZagne or Mimikatz execution
#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(lazagne\.exe|mimikatz\.exe)/
   OR CommandLine = /(?i)(lazagne|mimikatz)/
| table([_time, ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName])

OR

// Pattern 3: Direct file access to credential file locations
#event_simpleName in ("PeFileWritten", "NewExecutableRenamed", "SuspiciousCredentialModuleLoad")
   OR (#event_simpleName = "DocumentWritten"
      AND (TargetFileName = /(?i)([\/\.](ssh|aws|azure)[\/\\]|ConsoleHost_history\.txt|Unattend\.xml|sysprep\.xml|web\.config|applicationHost\.config|id_rsa|id_ecdsa|id_ed25519|accessTokens\.json|credentials\.json|passwords\.txt|creds\.txt|logins\.json)/
           OR TargetFileName = /(?i)\.(ppk|p12|pfx|pem)$/))
      AND NOT ImageFileName = /(?i)(explorer\.exe|OneDrive\.exe|backup\.exe|svchost\.exe)/
| table([_time, ComputerName, UserName, ImageFileName, TargetFileName, CommandLine])

// Aggregate results for analyst review
| groupBy([ComputerName, UserName, ImageFileName], function=([count(aid, as=EventCount), collect(CommandLine), collect(TargetFileName), min(_time, as=FirstSeen), max(_time, as=LastSeen)]))
| sort(EventCount, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon Data Replicator (FDR) Falcon Event Stream

Required Tables

ProcessRollup2 DocumentWritten PeFileWritten

False Positives

Authorized red team or penetration testing exercises using tools like LaZagne as part of a sanctioned engagement where the testing team is expected to attempt credential access
System administrators running PowerShell scripts (Get-ChildItem with credential-related filters) for legitimate inventory, compliance validation, or security hardening purposes
Cloud management and DevOps tools that access .aws/credentials or similar cloud provider credential files as part of automated infrastructure provisioning, deployment pipelines, or secrets rotation workflows

Last updated: 2026-04-21 Research depth: deep

References (7)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1552.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1552Unsecured Credentials

Related Sub-techniques

T1552.002Credentials in Registry T1552.003Bash History T1552.004Private Keys T1552.005Cloud Instance Metadata API T1552.006Group Policy Preferences T1552.007Container API T1552.008Chat Messages

Credentials In Files

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections