T1552.001 Credentials In Files — MITRE ATT&CK Technique Reference

Q: How do adversaries use Credentials In Files?

Adversaries use keyword searches (for terms like 'password', 'passwd', 'secret', or 'key') across accessible file paths, or run credential-harvesting tools such as LaZagne to automatically extract stored credentials from dozens of application-specific locations. Recovered credentials are then used for lateral movement, privilege escalation, or further data access.

Kandi Brian

T1552.001: Credentials In Files

Adversaries search local file systems and accessible network shares for files that contain credentials stored in plaintext or recoverable form. This sub-technique sits under the Unsecured Credentials parent (T1552) and maps to the Credential Access tactic — it is one of the most commonly observed post-compromise actions because credentials left in files are widespread across nearly every enterprise environment.

When an adversary gains initial access to a system, one of the first things they look for is a shortcut to additional access. Files containing credentials — passwords typed into a config file, API keys committed to source code, or credentials left in an unattended setup script — represent exactly that shortcut. T1552.001 formalizes this behavior in the MITRE ATT&CK framework as a sub-technique under the broader Unsecured Credentials category.

The technique applies across Windows, Linux, macOS, IaaS cloud environments, and containers. Credential files can exist almost anywhere: a developer's home directory, a web application's configuration tree, a network share used for software deployment, a Docker image layer, or a Kubernetes secret that was never properly encrypted. The attacker's goal is straightforward — find a file containing a usable credential and use it to authenticate elsewhere without having to crack a hash or exploit additional vulnerabilities.

How Credentials In Files Works

The technique unfolds in two phases. First, the adversary identifies candidate files through keyword searches, directory traversal, or automated tooling. Second, they parse or read those files to extract usable credentials. The extracted credentials are then leveraged for lateral movement, privilege escalation, or access to external services.

File Search Methods

On Windows systems, adversaries frequently use findstr to search file contents recursively for credential-related keywords across common document types:

# Windows: recursive search for 'pass' keyword across common file types
findstr /si pass *.xml *.doc *.txt *.xls *.ini *.config

On Linux and macOS, grep serves the equivalent role. Adversaries often search across home directories, web application roots, and configuration directories for terms such as password, passwd, secret, token, or credentials:

# Linux: search for password strings in common config locations
grep -r "password" /etc/ /var/www/ /home/ --include="*.conf" --include="*.yml" --include="*.env" 2>/dev/null

High-Value File Targets

Certain file paths and formats are targeted more often than others because they reliably contain credentials in recoverable form. Common targets include:

unattend.xml — Windows unattended installation answer files stored in C:\Windows\Panther\ frequently contain local administrator credentials set during OS deployment, sometimes in plaintext or base64-encoded form.
.netrc files — Used on Unix-like systems to store credentials for FTP, HTTP, and other services in plaintext. GitHub credentials are commonly found here when developers use password-based Git authentication.
Group Policy Preferences (GPP) XML — Historically stored in SYSVOL shares on domain controllers, GPP XML files contained cpassword values encrypted with a static AES key published by Microsoft, making them trivially decryptable.
.aws/credentials and ~/.config/gcloud/ — AWS, GCP, and Azure CLI store service account credentials and access tokens in local configuration files under user home directories. TeamTNT and similar cloud-targeting groups specifically hunt these paths post-compromise.
Docker and Kubernetes credential stores — Container environments store registry credentials in ~/.docker/config.json and Kubernetes service account tokens in /var/run/secrets/kubernetes.io/serviceaccount/token.
Web application configuration files — Files such as wp-config.php, application.properties, .env, and database connection strings frequently contain database passwords with elevated privileges.
SSH private keys — ~/.ssh/id_rsa and similar files allow direct authentication to remote hosts if the private key is unencrypted or if the passphrase is recoverable.
Backup and virtual machine files — Password hashes and plaintext credentials can be extracted from VM snapshots, disk images, and backup archives through offline credential dumping techniques.

Automated Credential Harvesting Tools

Rather than manually searching file systems, many adversaries deploy purpose-built tools that enumerate credential storage locations automatically. LaZagne is the most widely observed example — an open-source Python tool that searches dozens of application-specific locations including browsers, email clients, databases, WiFi configurations, and development tools. Other tools in this category include SessionGopher (PowerShell-based, targets saved PuTTY, WinSCP, and RDP sessions), WinPwn (a PowerShell post-exploitation framework with dedicated credential search modules), and Snaffler (a .NET tool designed to find interesting files on Windows network shares at scale).

cloud environments

In cloud and containerized deployments, credential files are particularly dangerous because they are often portable — copying a ~/.aws/credentials file to another machine grants full access to any AWS resources the original account can reach, with no additional exploitation required.

Real-World Case Studies

TeamTNT and the Hildegard Campaign

TeamTNT, a financially motivated threat group targeting cloud environments, built credential harvesting from files into the core of their Hildegard malware campaign. After compromising exposed Docker daemon APIs, Hildegard executed a shell script that searched for SSH keys, Docker registry credentials stored in ~/.docker/config.json, and Kubernetes service account tokens. The recovered credentials were used to pivot to additional containers and cloud accounts, significantly expanding the group's cryptomining operation. Palo Alto Networks Unit 42 documented this campaign in detail, noting that the combination of file-based credential theft and container-native propagation made Hildegard unusually effective against Kubernetes clusters.

APT33 (Elfin) and LaZagne Deployment

APT33, an Iranian threat group with a long history of targeting aerospace, defense, and energy organizations, incorporated LaZagne into post-compromise operations observed by Symantec and Mandiant. Following initial access through spearphishing or VPN vulnerabilities, APT33 operators deployed LaZagne to harvest credentials stored in browser profiles, email clients, and system credential stores. The recovered credentials enabled the group to move laterally across enterprise networks and access additional systems without triggering authentication anomalies, since the stolen credentials appeared as legitimate logins.

Ember Bear and Plaintext Credentials in IP Cameras

A CISA advisory published in September 2024 described how Ember Bear, a Russian GRU-linked threat group, dumped configuration data from compromised IP cameras and other network devices, recovering plaintext administrative credentials stored in device configuration files. These credentials were then used to access additional network infrastructure. The case illustrates that T1552.001 extends beyond traditional computing systems to any networked device that stores credentials in configuration files — a category that includes a significant portion of industrial and building management system equipment.

FIN13 (Elephant Beetle) and File Browsing for Admin Credentials

FIN13, a financially motivated threat actor documented by Sygnia under the name Elephant Beetle, was observed manually browsing local files on compromised machines to locate administrative credentials. Operating primarily against financial institutions in Latin America over multiple years, FIN13 used the recovered credentials to establish persistence and facilitate fraudulent financial transactions. The group's extended dwell time — often measured in months — gave operators ample opportunity to locate credential files that were not immediately obvious during initial reconnaissance.

Detection Strategies

Detecting T1552.001 requires monitoring both file access events and the execution of processes associated with credential search activity. The two most useful data sources are file system audit logs and process command-line telemetry from EDR platforms or Windows Event Logging.

SIEM Detection — Sensitive File Access

# Splunk: alert on access to high-value credential file paths
index=windows EventCode=4663 ObjectName IN (
  "*\\Panther\\unattend.xml",
  "*\\.netrc",
  "*\\.aws\\credentials",
  "*\\.docker\\config.json",
  "*\\serviceaccount\\token",
  "*\\id_rsa",
  "*\\wp-config.php",
  "*\\.env"
)
| stats count by ComputerName, SubjectUserName, ObjectName, ProcessName
| where count > 1
| sort - count

SIEM Detection — Credential Keyword File Searches

# Splunk: detect findstr or grep searching for credential keywords
index=windows EventCode=4688
| where like(CommandLine, "%findstr%pass%") 
  OR like(CommandLine, "%findstr%cred%")
  OR like(CommandLine, "%findstr%secret%")
  OR like(CommandLine, "%Select-String%password%")
| stats count by ComputerName, SubjectUserName, CommandLine
| sort - count

Behavioral Indicators

Indicator	What It Means
Mass file reads across multiple directories in a short time window	Possible automated credential search or tool execution; legitimate users rarely read large numbers of files sequentially
Access to `C:\Windows\Panther\unattend.xml` outside of OS deployment context	High-confidence indicator of credential harvesting; this file has no legitimate runtime access requirement post-deployment
LaZagne, SessionGopher, or Snaffler process execution	Known credential harvesting tools; their presence on a system is a strong indicator of post-compromise credential access activity
Process accessing `~/.aws/credentials` or `~/.docker/config.json` outside expected application context	Possible exfiltration of cloud service credentials; cross-reference with the process making the access
`findstr` or `grep` invocations with password-related keywords as arguments	Manual credential search activity; commonly seen in interactive post-compromise sessions

Known Threat Actors Using T1552.001

T1552.001 appears across threat actor categories from nation-state espionage groups to financially motivated criminal organizations. The following groups have documented use of this technique as part of their post-compromise toolsets:

APT3 (China, UNC0401 / Buckeye) — Has used custom tooling to locate and extract browser-stored credentials from Firefox and Chrome profile directories on compromised file systems.
APT33 (Iran, Elfin) — Deploys LaZagne and similar tools to collect credentials from email clients, browsers, and system credential stores following initial access via spearphishing or VPN exploitation.
Ember Bear (Russia, GRU) — Recovers plaintext credentials from device configuration files on network infrastructure, cameras, and industrial control systems as part of broader critical infrastructure targeting.
Emotet (cybercrime, TA542) — Includes a module specifically designed to retrieve passwords stored in files and system credential stores for the current logged-in user, supporting downstream ransomware deployment by affiliates.
FIN13 / Elephant Beetle (cybercrime, Latin America-focused) — Manually browses file systems on compromised machines to locate administrative credential material as part of long-term financial fraud operations.
Fox Kitten (Iran) — Accesses credential files to obtain valid accounts following initial access via exploitation of VPN appliances.
Kimsuky (North Korea) — Uses tools capable of extracting credentials from saved mail profiles as part of targeted espionage operations against research and academic institutions.
OilRig / APT34 (Iran) — Employs LaZagne and related credential dumping tools to harvest saved credentials from accounts logged into compromised systems, including Outlook Web Access credentials.
TeamTNT (cybercrime, cloud-focused) — Specifically hunts SSH keys, Docker credentials, and cloud provider credential files in containerized and IaaS environments to expand cryptomining infrastructure.

Defensive Recommendations

Audit and eliminate plaintext credential storage: Conduct regular sweeps of file systems, code repositories, and configuration management systems for files containing credential material. Tools such as TruffleHog, GitLeaks, and detect-secrets can automate this process in CI/CD pipelines and against existing repositories. Any discovered credentials should be rotated immediately and the storage practice corrected.
Use secrets management systems: Replace file-based credential storage with a dedicated secrets manager such as HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager. Applications retrieve credentials at runtime via authenticated API calls rather than reading static files, eliminating the target for T1552.001 entirely in those contexts.
Enable and monitor file system auditing: Configure Windows Security Auditing (Event ID 4663) and Linux auditd rules to log access to known sensitive file paths. Forward these events to a SIEM and alert on access outside of expected processes or time windows. Pay particular attention to paths such as C:\Windows\Panther\, home directory credential stores, and web application configuration files.
Restrict unnecessary file system access: Apply least-privilege file permissions so that service accounts and user accounts cannot read credential files they have no business reason to access. SYSVOL GPP XML files should be purged if present, since the cpassword encryption is trivially broken with the publicly known key. Configuration files should be owned by the application service account and not readable by other users.
Detect and block known credential harvesting tools: Maintain application control policies that prevent execution of tools such as LaZagne, Snaffler, SessionGopher, and WinPwn on endpoints. These tools have no legitimate use case in production environments and their presence is a reliable indicator of compromise. EDR platforms should alert on their execution regardless of how they are invoked.
Protect cloud credential files at the OS level: On systems that use cloud CLI tools, enforce file permissions on ~/.aws/credentials, ~/.azure/, and ~/.config/gcloud/ to prevent access by accounts other than the owning user. Where possible, use instance metadata service credentials or workload identity rather than stored credential files, so that no credential file exists on disk to be stolen.
Rotate credentials proactively following any compromise indicator: Because credential files may have been read during an intrusion that was not immediately detected, rotate all potentially exposed credentials as part of the incident response process — even if no evidence of active use has been observed. Assume that any credential accessible to a compromised account has been collected.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1552.001
Technique Name	Unsecured Credentials: Credentials In Files
Parent Technique	T1552 — Unsecured Credentials
Tactic	Credential Access (TA0006)
Platforms	Containers, IaaS, Linux, Windows, macOS
Data Sources	File: File Access; Command: Command Execution; Process: Process Creation
Mitigations	M1017 User Training; M1027 Password Policies; M1022 Restrict File and Directory Permissions; M1047 Audit
ATT&CK Version	v18 (Last Modified: 24 October 2025)
MITRE Reference	attack.mitre.org/techniques/T1552/001

Frequently Asked Questions

What is T1552.001 Credentials In Files?

T1552.001 is a MITRE ATT&CK sub-technique under Unsecured Credentials (T1552) in which adversaries search local file systems and remote network shares for files that contain insecurely stored credentials. Targets include configuration files, shell scripts, source code with embedded passwords, backup files, and cloud credential stores.

How do adversaries use Credentials In Files?

Adversaries use keyword searches (for terms like "password," "passwd," "secret," or "key") across accessible file paths, or run credential-harvesting tools such as LaZagne to automatically extract stored credentials from dozens of application-specific locations. Recovered credentials are then used for lateral movement, privilege escalation, or further data access.

How can organizations detect T1552.001?

Detection involves monitoring file system access to sensitive paths containing credential material, alerting on mass file reads or keyword-based file searches across directories, and tracking execution of known credential harvesting tools. SIEM rules should flag access to files such as .netrc, unattend.xml, .aws/credentials, and similar locations outside normal application context.

Sources and References

MITRE ATT&CK — T1552.001 Unsecured Credentials: Credentials In Files: attack.mitre.org
Palo Alto Networks Unit 42 — Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes: unit42.paloaltonetworks.com
Palo Alto Networks Unit 42 — Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed: unit42.paloaltonetworks.com
Symantec — Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.: symantec.com
CISA — Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure (AA24-249A): cisa.gov
Sygnia — Elephant Beetle: Uncovering an Organized Financial-Theft Operation: sygnia.co
Red Canary — Atomic Red Team T1552.001 Test Cases: github.com/redcanaryco
SpecterOps — Head in the Clouds (Cloud Credential Storage): specterops.io