T1552 Microsoft Sentinel · KQL

Detect Unsecured Credentials in Microsoft Sentinel

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files, operating system or application-specific repositories, shell history files, private key files, cloud instance metadata APIs, container environment variables, and group policy preference files. Tools like LaZagne, NirSoft utilities, and custom scripts are commonly used to automate credential harvesting across multiple storage locations simultaneously.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1552 Unsecured Credentials
Canonical reference
https://attack.mitre.org/techniques/T1552/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let CredentialFilePatterns = dynamic([
  "password", "passwd", "credentials", "creds", "secret", "apikey", "api_key",
  ".aws\\credentials", "unattend.xml", "sysprep.xml", "web.config",
  "id_rsa", "id_dsa", "id_ecdsa", "id_ed25519", ".pem", ".pfx", ".p12",
  "vnc.ini", "filezilla", "winscp.ini", "putty", "bash_history", ".ssh"
]);
let CredentialHarvestingTools = dynamic([
  "lazagne", "nirsoft", "netpass", "credentialfileview", "passwordfox",
  "webbrowserpassview", "mailpassview", "vaultpassview", "credentialsfileview",
  "mimikatz", "wce.exe", "pwdump", "fgdump", "gsecdump"
]);
let CredentialRegistryPaths = dynamic([
  "\\SOFTWARE\\ORL\\WinVNC3\\Password",
  "\\SOFTWARE\\TightVNC\\Server",
  "\\SOFTWARE\\RealVNC\\WinVNC4",
  "\\SYSTEM\\CurrentControlSet\\Services\\SNMP\\Parameters\\ValidCommunities",
  "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
  "\\SOFTWARE\\SimonTatham\\PuTTY\\Sessions",
  "\\SOFTWARE\\OpenSSH",
  "DefaultPassword", "AltDefaultPassword"
]);
// Branch 1: Suspicious file access patterns indicating credential file enumeration
let FileCredentialAccess = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileAccessed", "FileRead")
| where FolderPath has_any (CredentialFilePatterns) or FileName has_any (CredentialFilePatterns)
| where InitiatingProcessFileName !in~ ("svchost.exe", "SearchIndexer.exe", "MsMpEng.exe", "OneDrive.exe")
| extend DetectionBranch = "CredentialFileAccess"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, DetectionBranch;
// Branch 2: Known credential harvesting tools
let HarvestingTools = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (CredentialHarvestingTools)
   or ProcessCommandLine has_any (CredentialHarvestingTools)
   or InitiatingProcessFileName has_any (CredentialHarvestingTools)
| extend DetectionBranch = "CredentialHarvestingTool"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, DetectionBranch;
// Branch 3: Registry queries to credential storage locations
let RegistryCredentialQuery = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (CredentialRegistryPaths) or RegistryValueName has_any ("Password", "DefaultPassword", "AltDefaultPassword")
| where ActionType in ("RegistryKeyQueried", "RegistryValueQueried")
| where InitiatingProcessFileName !in~ ("svchost.exe", "lsass.exe", "services.exe")
| extend DetectionBranch = "RegistryCredentialQuery"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
         FileName=InitiatingProcessFileName, ProcessCommandLine=InitiatingProcessCommandLine,
         InitiatingProcessFileName=InitiatingProcessParentFileName,
         InitiatingProcessCommandLine=InitiatingProcessParentCommandLine,
         InitiatingProcessParentFileName="", DetectionBranch;
// Branch 4: PowerShell or cmd searching for credential content in files
let ScriptedCredentialSearch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "bash", "sh")
| where ProcessCommandLine has_any (
    "Get-Content", "gc ", "cat ", "type ", "findstr", "grep",
    "Select-String", "sls "
  )
  and ProcessCommandLine has_any (
    "password", "passwd", "credentials", "secret", "apikey", "api_key",
    "connectionstring", "pwd", "passw"
  )
| extend DetectionBranch = "ScriptedCredentialSearch"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, DetectionBranch;
union FileCredentialAccess, HarvestingTools, RegistryCredentialQuery, ScriptedCredentialSearch
| sort by Timestamp desc
high severity medium confidence

Multi-branch detection for T1552 Unsecured Credentials across Windows endpoints using Microsoft Defender for Endpoint tables. Branch 1 detects file access to known credential storage locations (SSH keys, .aws/credentials, WinSCP configs, browser credential files). Branch 2 identifies execution of known credential harvesting tools (LaZagne, NirSoft suite, Mimikatz variants). Branch 3 monitors registry queries to locations where applications store credentials in plaintext (VNC, PuTTY, Winlogon). Branch 4 catches scripted searches using Get-Content, findstr, grep, or Select-String against files containing credential keywords. Uses DeviceFileEvents, DeviceProcessEvents, and DeviceRegistryEvents tables.

Data Sources

File: File AccessProcess: Process CreationWindows Registry: Windows Registry Key AccessCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceFileEventsDeviceProcessEventsDeviceRegistryEvents

False Positives & Tuning

  • Password managers (KeePass, Bitwarden, 1Password desktop) legitimately accessing their own credential files
  • SSH clients (PuTTY, OpenSSH, WinSCP) reading .pem or known_hosts files as part of normal connection workflow
  • Configuration management tools (Ansible, Puppet, Chef) reading web.config or unattend.xml during deployments
  • Security scanners (Tenable, Qualys) that enumerate credential file locations as part of vulnerability assessments
  • Backup software reading all file types including credential-related files as part of scheduled backup jobs
Download portable Sigma rule (.yml)

Other platforms for T1552

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1LaZagne All-Sources Credential Harvest Simulation

    Expected signal: Sysmon Event ID 1: Process Create for lazagne.exe with CommandLine 'all -oN'. Sysmon Event ID 11: Multiple file access events across browser profile directories, %APPDATA% credential stores, and credential files. Sysmon Event ID 13: Registry queries to PuTTY, VNC, and Winlogon password locations. File creation event for lazagne_test_output.txt.

  2. Test 2Scripted Credential File Search via PowerShell Select-String

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing both 'Select-String' and 'password'. PowerShell ScriptBlock Log Event ID 4104 capturing the full pipeline. Sysmon Event ID 11 for cred_search_results.txt creation. Multiple file access events as Select-String reads candidate files.

  3. Test 3Registry Credential Extraction — PuTTY and Winlogon

    Expected signal: Sysmon Event ID 1: Process Create for reg.exe with CommandLine querying PuTTY sessions path. If Sysmon is configured to monitor registry access, Event ID 13 showing TargetObject paths. Security Event ID 4663 (if object access auditing enabled) for registry key read operations.

  4. Test 4Private Key Enumeration and Staging

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing '.pem', '.pfx', 'id_rsa'. Sysmon Event ID 11: File creation for key_staging directory. Multiple file access events as Get-ChildItem reads candidate key files. PowerShell ScriptBlock Log Event ID 4104 with full enumeration script.

  5. Test 5NirSoft WebBrowserPassView Credential Extraction

    Expected signal: Sysmon Event ID 1: Process Create for WebBrowserPassView.exe. Sysmon Event ID 11: File access to Chrome Login Data SQLite file at %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data, Firefox logins.json, Edge Login Data. File creation event for browser_creds_test.html output. If DPAPI decryption is used, potential Event ID 4693 (DPAPI decryption) in Security log.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1552 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (8)

Related Techniques

T1552.001Credentials In FilesT1552.002Credentials in RegistryT1552.003Bash HistoryT1552.004Private KeysT1552.005Cloud Instance Metadata APIT1552.006Group Policy PreferencesT1552.007Container APIT1555Credentials from Password StoresT1003OS Credential DumpingT1078Valid AccountsT1021Remote Services

Same Tactic: Credential Access

Popular Detections