Last reviewed:
T1552 is the umbrella technique for credentials left where attackers can read them: plaintext secrets in environment variables, keys committed to repositories, unencrypted secret stores. More cloud breaches start here than with any exploit. DCV anchors coverage in AWS Security Hub's FSBP controls: the Secrets Manager rotation series, CodeBuild checks for plaintext credentials in build environments and the EKS secrets-encryption control, with GCP Security Command Center contributing equivalent findings. Rotation cadence is the metric that separates written policy from actual practice.
Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Shell History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).
Platforms: Windows, SaaS, IaaS, Linux, macOS, Containers, Network Devices, Office Suite, Identity Provider.
DCV maps 13 detections across 3 cloud providers to T1552. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Security Hub | AWS | 8 | 0.83 |
| Azure Regulatory Compliance | Azure | 2 | 0.93 |
| GCP Security Command Center | GCP | 2 | 0.88 |
| GCP Chronicle | GCP | 1 | 0.90 |
CloudSigma has coverage metadata for 13 T1552 rules across 6 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1552, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1552 is the umbrella technique for credentials left where attackers can read them: plaintext secrets in environment variables, keys committed to repositories, unencrypted secret stores. More cloud breaches start here than with any exploit. DCV anchors coverage in AWS Security Hub's FSBP controls: the Secrets Manager rotation series, CodeBuild checks for plaintext credentials in build environments and the EKS secrets-encryption control, with GCP Security Command Center contributing equivalent findings. Rotation cadence is the metric that separates written policy from actual practice.
DCV maps 13 cloud-native detections to T1552 across 3 cloud providers, drawn from AWS Security Hub, Azure Regulatory Compliance, GCP Chronicle and GCP Security Command Center.
T1552 is part of MITRE ATT&CK TA0006 Credential Access: How adversaries steal credentials, account names and passwords.
CloudSigma ships 6 validated Sigma rules for T1552 across AWS CloudTrail, Azure Activity, GCP Audit Logs, Kubernetes Audit, Linux auditd and Windows Sysmon. Each rule is validated against its source SIEM dialect before publication.