T1552.001 IBM QRadar · QRadar

Detect Credentials In Files in IBM QRadar

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These include user-created credential files, shared credential stores, configuration files with embedded passwords, and source code containing hardcoded credentials. Threat actors and malware including Emotet, APT33, LaZagne, Pupy, PoshC2, and Smoke Loader actively search for credential files. Commonly targeted files include web.config, applicationHost.config, .htaccess, unattend.xml (Group Policy Preferences), cloud credential files (~/.aws/credentials, ~/.azure/accessTokens.json), and any plaintext files with 'password' in the content.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1552 Unsecured Credentials
Sub-technique
T1552.001 Credentials In Files
Canonical reference
https://attack.mitre.org/techniques/T1552/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  "Message" AS raw_message,
  CATEGORYNAME(category) AS category_name
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 14, 15, 314)
  AND starttime > NOW() - 86400000
  AND (
    -- Credential file search via common tools
    (
      QIDNAME(qid) LIKE '%Process%Create%'
      AND (
        (
          LOWER("Message") LIKE '%findstr%'
          AND (
            LOWER("Message") LIKE '%password%'
            OR LOWER("Message") LIKE '%passwd%'
            OR LOWER("Message") LIKE '%unattend%'
            OR LOWER("Message") LIKE '%web.config%'
            OR LOWER("Message") LIKE '%credentials%'
            OR LOWER("Message") LIKE '%.pem%'
            OR LOWER("Message") LIKE '%.pfx%'
          )
        )
        OR (
          LOWER("Message") LIKE '%powershell%'
          AND (
            LOWER("Message") LIKE '%select-string%'
            OR LOWER("Message") LIKE '%get-childitem%'
            OR LOWER("Message") LIKE '%get-content%'
          )
          AND (
            LOWER("Message") LIKE '%password%'
            OR LOWER("Message") LIKE '%credentials%'
            OR LOWER("Message") LIKE '%id_rsa%'
            OR LOWER("Message") LIKE '%.pem%'
            OR LOWER("Message") LIKE '%.pfx%'
            OR LOWER("Message") LIKE '%.ppk%'
          )
        )
        OR LOWER("Message") LIKE '%lazagne%'
        OR LOWER("Message") LIKE '%mimikatz%'
        OR (
          LOWER("Message") LIKE '%cmd.exe%'
          AND LOWER("Message") LIKE '%dir %'
          AND (
            LOWER("Message") LIKE '%password%'
            OR LOWER("Message") LIKE '%credentials%'
          )
        )
      )
    )
    OR
    -- Direct access to known credential file paths
    (
      QIDNAME(qid) LIKE '%File%'
      AND (
        LOWER("Message") LIKE '%\.ssh\%'
        OR LOWER("Message") LIKE '%\.aws\credentials%'
        OR LOWER("Message") LIKE '%\.azure\%'
        OR LOWER("Message") LIKE '%consoleshost_history.txt%'
        OR LOWER("Message") LIKE '%unattend.xml%'
        OR LOWER("Message") LIKE '%sysprep.xml%'
        OR LOWER("Message") LIKE '%web.config%'
        OR LOWER("Message") LIKE '%applicationhost.config%'
        OR LOWER("Message") LIKE '%\id_rsa%'
        OR LOWER("Message") LIKE '%accesstokens.json%'
        OR LOWER("Message") LIKE '%credentials.json%'
        OR LOWER("Message") LIKE '%passwords.txt%'
        OR LOWER("Message") LIKE '%creds.txt%'
        OR LOWER("Message") LIKE '%logins.json%'
        OR LOWER("Message") LIKE '%.ppk%'
        OR LOWER("Message") LIKE '%.p12%'
        OR LOWER("Message") LIKE '%.pfx%'
      )
      AND NOT (
        LOWER("Message") LIKE '%explorer.exe%'
        OR LOWER("Message") LIKE '%onedrive.exe%'
        OR LOWER("Message") LIKE '%backup.exe%'
      )
    )
  )
ORDER BY starttime DESC
LIMIT 1000
high severity medium confidence

Detects credential file enumeration and access on Windows and Linux endpoints via QRadar by correlating process creation events using credential-hunting tools (findstr, PowerShell, LaZagne) with file access events targeting known credential file paths such as SSH keys, cloud provider credential stores, browser credential files, and plaintext password files. Covers MITRE T1552.001 adversary techniques used by Emotet, APT33, and commodity malware.

Data Sources

Windows Security Event LogSysmonLinux Audit Log (auditd)EDR log sources

Required Tables

events

False Positives & Tuning

  • Legitimate system administrators using findstr or PowerShell cmdlets to audit or validate presence of credential files as part of security review or credential rotation workflows
  • Configuration management and orchestration tools (Ansible, Puppet, Chef, SCCM) that enumerate configuration files containing credentials during managed deployments
  • Developer toolchains and IDEs that access .aws/credentials, SSH keys, or other credential stores during normal application development, testing, or CI/CD pipeline execution
Download portable Sigma rule (.yml)

Other platforms for T1552.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Search for Passwords in Files with findstr

    Expected signal: Sysmon Event ID 1: findstr.exe with 'password' and recursive flags. Security Event ID 4688 (if command-line auditing). Security Event ID 4663 (Object Access) for any files accessed if Object Access auditing enabled.

  2. Test 2Read AWS Credentials File

    Expected signal: Sysmon Event ID 1: cmd.exe with 'type' and '.aws\credentials'. Sysmon Event ID 11: file access for credentials file. Security Event ID 4663 if Object Access auditing enabled for the file.

  3. Test 3LaZagne Credential Harvesting

    Expected signal: Sysmon Event ID 1: lazagne.exe with 'all' flag. Multiple file access events across credential locations (browser profiles, email clients, SSH directories). File creation event for output file.

  4. Test 4Search for GPP Credentials in SYSVOL

    Expected signal: Sysmon Event ID 1: cmd.exe with dir and findstr against SYSVOL. Sysmon Event ID 3: network connection to domain controller on SMB (port 445). Security Event ID 5140 (share access to \\*\SYSVOL) on the domain controller.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1552.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1552Unsecured Credentials

Related Sub-techniques

T1552.002Credentials in RegistryT1552.003Bash HistoryT1552.004Private KeysT1552.005Cloud Instance Metadata APIT1552.006Group Policy PreferencesT1552.007Container APIT1552.008Chat Messages

Related Techniques

T1552Unsecured CredentialsT1552.002Credentials in RegistryT1552.004Private KeysT1003OS Credential DumpingT1083File and Directory DiscoveryT1005Data from Local SystemT1020Automated ExfiltrationT1078Valid Accounts

Same Tactic: Credential Access

Popular Detections