Detect Credentials In Files in Google Chronicle
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These include user-created credential files, shared credential stores, configuration files with embedded passwords, and source code containing hardcoded credentials. Threat actors and malware including Emotet, APT33, LaZagne, Pupy, PoshC2, and Smoke Loader actively search for credential files. Commonly targeted files include web.config, applicationHost.config, .htaccess, unattend.xml (Group Policy Preferences), cloud credential files (~/.aws/credentials, ~/.azure/accessTokens.json), and any plaintext files with 'password' in the content.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1552 Unsecured Credentials
- Sub-technique
- T1552.001 Credentials In Files
- Canonical reference
- https://attack.mitre.org/techniques/T1552/001/
YARA-L Detection Query
rule t1552_001_credentials_in_files {
meta:
author = "Argus Detection Engineering"
description = "Detects adversary searches for credentials stored in files via common enumeration tools and direct access to known credential file locations. Covers T1552.001 - Credentials In Files."
mitre_attack_technique = "T1552.001"
mitre_attack_tactic = "Credential Access"
severity = "HIGH"
confidence = "HIGH"
reference = "https://attack.mitre.org/techniques/T1552/001/"
created = "2026-04-21"
events:
(
// Pattern 1: Credential search tool execution with credential file arguments
$e1.metadata.event_type = "PROCESS_LAUNCH"
and (
(
re.regex($e1.principal.process.file.full_path, `(?i)(findstr\.exe|grep\.exe)$`)
and re.regex($e1.target.process.command_line, `(?i)(password|passwd|credential|unattend|sysprep|web\.config|\.pem|\.pfx|\.ppk|id_rsa)`)
)
or (
re.regex($e1.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)$`)
and re.regex($e1.target.process.command_line, `(?i)(Select-String|Get-ChildItem|Get-Content)`)
and re.regex($e1.target.process.command_line, `(?i)(password|credentials|id_rsa|\.pem|\.pfx|\.ppk|accessTokens|logins\.json)`)
)
or (
re.regex($e1.principal.process.file.full_path, `(?i)(cmd\.exe)$`)
and re.regex($e1.target.process.command_line, `(?i)dir\s`)
and re.regex($e1.target.process.command_line, `(?i)(password|credentials|cred)`)
)
or re.regex($e1.target.process.command_line, `(?i)(lazagne|mimikatz)`)
or re.regex($e1.target.process.file.full_path, `(?i)(lazagne\.exe|mimikatz\.exe)$`)
)
)
or
(
// Pattern 2: Direct file access to known credential file locations
$e1.metadata.event_type = "FILE_OPEN"
and (
re.regex($e1.target.file.full_path, `(?i)([\\/]\.ssh[\\/]|[\\/]\.aws[\\/]credentials|[\\/]\.azure[\\/]|ConsoleHost_history\.txt|Unattend\.xml|sysprep\.xml|web\.config|applicationHost\.config|[\\/]id_rsa$|[\\/]id_ecdsa$|[\\/]id_ed25519$|accessTokens\.json|credentials\.json|passwords\.txt|creds\.txt|logins\.json)`)
or re.regex($e1.target.file.full_path, `(?i)\.(ppk|p12|pfx|pem)$`)
)
and not re.regex($e1.principal.process.file.full_path, `(?i)(explorer\.exe|OneDrive\.exe|backup\.exe|svchost\.exe|taskhostw\.exe)$`)
)
condition:
$e1
}YARA-L 2.0 rule for Google Chronicle that detects adversary credential file hunting by monitoring process launch events involving common credential search tools (findstr, grep, PowerShell Get-ChildItem/Select-String, LaZagne, Mimikatz) with credential-related arguments, and file open events targeting known sensitive credential file paths including SSH keys, AWS/Azure credential files, Windows PowerShell history, and web application configuration files.
Data Sources
Required Tables
False Positives & Tuning
- Security engineers running authorized credential audits using findstr or PowerShell to locate and inventory credential files for security assessments or hardening exercises
- DevOps pipelines and infrastructure-as-code tools that read cloud credential files (.aws/credentials, service account JSON files) during resource provisioning and configuration management
- Password manager software and credential management applications that access their own database files and synced credential stores during normal operation
Other platforms for T1552.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Search for Passwords in Files with findstr
Expected signal: Sysmon Event ID 1: findstr.exe with 'password' and recursive flags. Security Event ID 4688 (if command-line auditing). Security Event ID 4663 (Object Access) for any files accessed if Object Access auditing enabled.
- Test 2Read AWS Credentials File
Expected signal: Sysmon Event ID 1: cmd.exe with 'type' and '.aws\credentials'. Sysmon Event ID 11: file access for credentials file. Security Event ID 4663 if Object Access auditing enabled for the file.
- Test 3LaZagne Credential Harvesting
Expected signal: Sysmon Event ID 1: lazagne.exe with 'all' flag. Multiple file access events across credential locations (browser profiles, email clients, SSH directories). File creation event for output file.
- Test 4Search for GPP Credentials in SYSVOL
Expected signal: Sysmon Event ID 1: cmd.exe with dir and findstr against SYSVOL. Sysmon Event ID 3: network connection to domain controller on SMB (port 445). Security Event ID 5140 (share access to \\*\SYSVOL) on the domain controller.
References (7)
- https://attack.mitre.org/techniques/T1552/001/
- https://github.com/AlessandroZ/LaZagne
- https://obscuresecurity.blogspot.com/2012/05/gpp-passwords-in-group-policy.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
- https://specterops.io/blog/cloud-credential-storage/
- https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
- https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios
Unlock Pro Content
Get the full detection package for T1552.001 including response playbook, investigation guide, and atomic red team tests.