title: Unsecured Credentials (T1552)
id: df00tech-t1552
status: experimental
description: "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files, operating system or application-specific repositories, shell history files, private key files, cloud instance metadata APIs, container environment variables, and group policy preference files. Tools like LaZagne, NirSoft utilities, and custom scripts are commonly used to automate credential harvesting across multiple storage locations simultaneously."
references:
  - https://attack.mitre.org/techniques/T1552/
  - https://df00tech.com/detections/T1552
author: df00tech
date: 2026/04/13
tags:
  - attack.t1552
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Password managers (KeePass, Bitwarden, 1Password desktop) legitimately accessing their own credential files"
  - "SSH clients (PuTTY, OpenSSH, WinSCP) reading .pem or known_hosts files as part of normal connection workflow"
  - "Configuration management tools (Ansible, Puppet, Chef) reading web.config or unattend.xml during deployments"
  - "Security scanners (Tenable, Qualys) that enumerate credential file locations as part of vulnerability assessments"
  - Backup software reading all file types including credential-related files as part of scheduled backup jobs
level: high