Detect Unsecured Credentials in Splunk
Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files, operating system or application-specific repositories, shell history files, private key files, cloud instance metadata APIs, container environment variables, and group policy preference files. Tools like LaZagne, NirSoft utilities, and custom scripts are commonly used to automate credential harvesting across multiple storage locations simultaneously.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1552 Unsecured Credentials
- Canonical reference
- https://attack.mitre.org/techniques/T1552/
SPL Detection Query
| union
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(CommandLine="*password*" OR CommandLine="*passwd*" OR CommandLine="*credentials*" OR CommandLine="*secret*" OR CommandLine="*apikey*" OR CommandLine="*api_key*")
(CommandLine="*findstr*" OR CommandLine="*Get-Content*" OR CommandLine="*Select-String*" OR CommandLine="*grep*" OR CommandLine="* type *" OR CommandLine="*cat *")
| eval DetectionBranch="ScriptedCredentialSearch"
| eval RiskScore=25
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionBranch, RiskScore
]
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*lazagne*" OR Image="*netpass*" OR Image="*passwordfox*" OR Image="*webbrowserpassview*" OR Image="*vaultpassview*" OR Image="*credentialfileview*" OR Image="*mailpassview*")
OR (CommandLine="*lazagne*" OR CommandLine="*netpass*" OR CommandLine="*nirsoft*")
| eval DetectionBranch="CredentialHarvestingTool"
| eval RiskScore=75
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionBranch, RiskScore
]
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
(TargetObject="*\\WinVNC3\\Password*" OR TargetObject="*\\TightVNC\\Server*" OR TargetObject="*\\RealVNC*" OR TargetObject="*Winlogon*DefaultPassword*" OR TargetObject="*PuTTY\\Sessions*" OR TargetObject="*SNMP*ValidCommunities*")
| eval DetectionBranch="RegistryCredentialAccess"
| eval RiskScore=50
| table _time, host, User, Image, CommandLine, TargetObject, Details, ParentImage, DetectionBranch, RiskScore
]
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
(TargetFilename="*.pem" OR TargetFilename="*.pfx" OR TargetFilename="*.p12" OR TargetFilename="*id_rsa*" OR TargetFilename="*id_dsa*" OR TargetFilename="*id_ecdsa*" OR TargetFilename="*unattend.xml" OR TargetFilename="*credentials" OR TargetFilename="*vnc.ini" OR TargetFilename="*winscp.ini")
NOT (Image="*\\svchost.exe" OR Image="*\\SearchIndexer.exe" OR Image="*\\MsMpEng.exe")
| eval DetectionBranch="CredentialFileCreatedOrAccessed"
| eval RiskScore=40
| table _time, host, User, Image, TargetFilename, CommandLine, ParentImage, DetectionBranch, RiskScore
]
| eval Severity=case(RiskScore >= 75, "Critical", RiskScore >= 50, "High", RiskScore >= 25, "Medium", true(), "Low")
| sort - RiskScore, - _timeMulti-branch Splunk detection for T1552 Unsecured Credentials using Sysmon operational logs. Uses a union across four detection branches: (1) Sysmon Event ID 1 process creation catching scripted credential searches with findstr, Get-Content, grep, or Select-String combined with credential keywords; (2) Event ID 1 for known NirSoft credential harvesting tool execution including LaZagne, NetPass, PasswordFox, WebBrowserPassView; (3) Sysmon Event ID 13 (Registry Value Set) monitoring credential storage registry paths such as VNC password locations, PuTTY sessions, and Winlogon auto-login passwords; (4) Sysmon Event ID 11 (File Create) detecting access to private key files (.pem, .pfx, .p12), SSH key files (id_rsa, id_dsa), and unattend.xml files. Risk scoring prioritizes known tool execution (75) over registry queries (50), suspicious file activity (40), and scripted searches (25).
Data Sources
Required Sourcetypes
False Positives & Tuning
- Password managers reading their own encrypted credential stores during normal operation
- SSH tooling (PuTTY, OpenSSH for Windows, WinSCP) accessing .pem and known_hosts files during connection establishment
- Backup and archival software accessing all file types including private keys and configuration files
- DevOps pipeline agents reading web.config, unattend.xml, or credential files during CI/CD deployments
- IT provisioning scripts using findstr or Select-String to validate configuration file contents post-deployment
Other platforms for T1552
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1LaZagne All-Sources Credential Harvest Simulation
Expected signal: Sysmon Event ID 1: Process Create for lazagne.exe with CommandLine 'all -oN'. Sysmon Event ID 11: Multiple file access events across browser profile directories, %APPDATA% credential stores, and credential files. Sysmon Event ID 13: Registry queries to PuTTY, VNC, and Winlogon password locations. File creation event for lazagne_test_output.txt.
- Test 2Scripted Credential File Search via PowerShell Select-String
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing both 'Select-String' and 'password'. PowerShell ScriptBlock Log Event ID 4104 capturing the full pipeline. Sysmon Event ID 11 for cred_search_results.txt creation. Multiple file access events as Select-String reads candidate files.
- Test 3Registry Credential Extraction — PuTTY and Winlogon
Expected signal: Sysmon Event ID 1: Process Create for reg.exe with CommandLine querying PuTTY sessions path. If Sysmon is configured to monitor registry access, Event ID 13 showing TargetObject paths. Security Event ID 4663 (if object access auditing enabled) for registry key read operations.
- Test 4Private Key Enumeration and Staging
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing '.pem', '.pfx', 'id_rsa'. Sysmon Event ID 11: File creation for key_staging directory. Multiple file access events as Get-ChildItem reads candidate key files. PowerShell ScriptBlock Log Event ID 4104 with full enumeration script.
- Test 5NirSoft WebBrowserPassView Credential Extraction
Expected signal: Sysmon Event ID 1: Process Create for WebBrowserPassView.exe. Sysmon Event ID 11: File access to Chrome Login Data SQLite file at %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data, Firefox logins.json, Edge Login Data. File creation event for browser_creds_test.html output. If DPAPI decryption is used, potential Event ID 4693 (DPAPI decryption) in Security log.
References (9)
- https://attack.mitre.org/techniques/T1552/
- https://github.com/AlessandroZ/LaZagne
- https://www.nirsoft.net/password_recovery_tools.html
- https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md
- https://www.cybereason.com/blog/astaroth-malware-uses-legitimate-os-and-antivirus-processes-to-steal-passwords-and-personal-data
- https://www.huntress.com/blog/nppspy-how-unsecured-windows-credential-provider-allowed-adversaries-to-access-credentials
Unlock Pro Content
Get the full detection package for T1552 including response playbook, investigation guide, and atomic red team tests.