title: Credentials In Files (T1552.001)
id: df00tech-t1552-001
status: experimental
description: "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These include user-created credential files, shared credential stores, configuration files with embedded passwords, and source code containing hardcoded credentials. Threat actors and malware including Emotet, APT33, LaZagne, Pupy, PoshC2, and Smoke Loader actively search for credential files. Commonly targeted files include web.config, applicationHost.config, .htaccess, unattend.xml (Group Policy Preferences), cloud credential files (~/.aws/credentials, ~/.azure/accessTokens.json), and any plaintext files with 'password' in the content."
references:
  - https://attack.mitre.org/techniques/T1552/001/
  - https://df00tech.com/detections/T1552.001
author: df00tech
date: 2026/04/21
tags:
  - attack.t1552.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Backup agents legitimately reading configuration files and credential stores as part of system backup operations
  - "Security scanning tools (Tenable, Qualys) that enumerate credential files during vulnerability assessments"
  - "Configuration management tools (Ansible, Chef, Puppet) reading configuration files including those containing credentials"
  - Password managers and single sign-on agents that legitimately access credential file locations
  - IT auditing scripts that scan for hardcoded credentials as a security best practice enforcement measure
level: high