Detect Credentials In Files in CrowdStrike LogScale
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These include user-created credential files, shared credential stores, configuration files with embedded passwords, and source code containing hardcoded credentials. Threat actors and malware including Emotet, APT33, LaZagne, Pupy, PoshC2, and Smoke Loader actively search for credential files. Commonly targeted files include web.config, applicationHost.config, .htaccess, unattend.xml (Group Policy Preferences), cloud credential files (~/.aws/credentials, ~/.azure/accessTokens.json), and any plaintext files with 'password' in the content.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1552 Unsecured Credentials
- Sub-technique
- T1552.001 Credentials In Files
- Canonical reference
- https://attack.mitre.org/techniques/T1552/001/
LogScale Detection Query
// T1552.001 - Credentials In Files: Search and Access Detection
// Pattern 1: Credential file search via enumeration tools
#event_simpleName = "ProcessRollup2"
| CommandLine = /(?i)(findstr|Select-String|Get-ChildItem|Get-Content|grep)/
| CommandLine = /(?i)(password|passwd|credential|unattend|sysprep|web\.config|\.pem|\.pfx|\.ppk|id_rsa|accessTokens|logins\.json|creds\.txt)/
| table([_time, ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName, ParentCommandLine])
OR
// Pattern 2: LaZagne or Mimikatz execution
#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(lazagne\.exe|mimikatz\.exe)/
OR CommandLine = /(?i)(lazagne|mimikatz)/
| table([_time, ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName])
OR
// Pattern 3: Direct file access to credential file locations
#event_simpleName in ("PeFileWritten", "NewExecutableRenamed", "SuspiciousCredentialModuleLoad")
OR (#event_simpleName = "DocumentWritten"
AND (TargetFileName = /(?i)([\/\.](ssh|aws|azure)[\/\\]|ConsoleHost_history\.txt|Unattend\.xml|sysprep\.xml|web\.config|applicationHost\.config|id_rsa|id_ecdsa|id_ed25519|accessTokens\.json|credentials\.json|passwords\.txt|creds\.txt|logins\.json)/
OR TargetFileName = /(?i)\.(ppk|p12|pfx|pem)$/))
AND NOT ImageFileName = /(?i)(explorer\.exe|OneDrive\.exe|backup\.exe|svchost\.exe)/
| table([_time, ComputerName, UserName, ImageFileName, TargetFileName, CommandLine])
// Aggregate results for analyst review
| groupBy([ComputerName, UserName, ImageFileName], function=([count(aid, as=EventCount), collect(CommandLine), collect(TargetFileName), min(_time, as=FirstSeen), max(_time, as=LastSeen)]))
| sort(EventCount, order=desc)CrowdStrike LogScale CQL query detecting T1552.001 credential file hunting and access by monitoring ProcessRollup2 events for known credential enumeration tools (findstr, PowerShell Get-ChildItem/Select-String, grep) with credential file arguments, direct execution of credential dumping tools (LaZagne, Mimikatz), and file write/access events targeting known credential file paths including SSH keys, cloud provider credential stores, Windows history files, and application configuration files with embedded credentials.
Data Sources
Required Tables
False Positives & Tuning
- Authorized red team or penetration testing exercises using tools like LaZagne as part of a sanctioned engagement where the testing team is expected to attempt credential access
- System administrators running PowerShell scripts (Get-ChildItem with credential-related filters) for legitimate inventory, compliance validation, or security hardening purposes
- Cloud management and DevOps tools that access .aws/credentials or similar cloud provider credential files as part of automated infrastructure provisioning, deployment pipelines, or secrets rotation workflows
Other platforms for T1552.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Search for Passwords in Files with findstr
Expected signal: Sysmon Event ID 1: findstr.exe with 'password' and recursive flags. Security Event ID 4688 (if command-line auditing). Security Event ID 4663 (Object Access) for any files accessed if Object Access auditing enabled.
- Test 2Read AWS Credentials File
Expected signal: Sysmon Event ID 1: cmd.exe with 'type' and '.aws\credentials'. Sysmon Event ID 11: file access for credentials file. Security Event ID 4663 if Object Access auditing enabled for the file.
- Test 3LaZagne Credential Harvesting
Expected signal: Sysmon Event ID 1: lazagne.exe with 'all' flag. Multiple file access events across credential locations (browser profiles, email clients, SSH directories). File creation event for output file.
- Test 4Search for GPP Credentials in SYSVOL
Expected signal: Sysmon Event ID 1: cmd.exe with dir and findstr against SYSVOL. Sysmon Event ID 3: network connection to domain controller on SMB (port 445). Security Event ID 5140 (share access to \\*\SYSVOL) on the domain controller.
References (7)
- https://attack.mitre.org/techniques/T1552/001/
- https://github.com/AlessandroZ/LaZagne
- https://obscuresecurity.blogspot.com/2012/05/gpp-passwords-in-group-policy.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
- https://specterops.io/blog/cloud-credential-storage/
- https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
- https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios
Unlock Pro Content
Get the full detection package for T1552.001 including response playbook, investigation guide, and atomic red team tests.