T1552Credential Access

Unsecured Credentials

Credentials stored or transmitted insecurely (in source, env files, cloud metadata, password stores).

§ Where this technique fits

T1552 is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 18 approved dossiers in the registry, typically at step 4.4 on average.

Authoritative reference: attack.mitre.org/techniques/T1552/.

§ Dossiers chaining this technique

WAF SSRF → IMDS → S3 mass exfil (Capital One 2019)
A misconfigured ModSecurity rule on a customer-facing app allowed SSRF; SSRF hit EC2 IMDSv1 for the instance role; the role had ListBucket + GetObject on a major customer-data bucket.
step 3 / 5
SNMPv2c write-community → router config exfil → cred sprays
Find a router with 'private' RW community. Trigger SNMP-to-TFTP config download to attacker host. The config has RADIUS shared secret, AAA server IP, ISAKMP PSKs, and SSH user-pubkeys — spray harvested creds.
step 3 / 6
Exposed etcd → cluster-wide secret raid
etcd is reachable without mTLS — read every Secret in the cluster including service-account tokens that grant cluster-admin.
step 3 / 6
Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)
Attacker compromised a single LastPass DevOps engineer's home machine via outdated Plex Media Server, harvested AWS keys for the encrypted-vault backup bucket, exfiltrated production vault data.
step 4 / 7
Apache Struts S2-045 (CVE-2017-5638) → Equifax-style breach
Crafted Content-Type header is parsed as OGNL — execute commands as the app user. The 2017 Equifax breach origin: unpatched Struts endpoint exposed to the internet.
step 4 / 5
F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB
Connection-header smuggle bypasses iControl REST auth, command-injection RCE as root. Load balancers see all traffic — recover TLS keys, session cookies, internal SSO config.
step 4 / 6
User foothold → keychain dump → cloud creds
Standard user shell on macOS. Brute the login.keychain master via ChainBreaker / a keylogged password; dump all entries — Safari saved creds, AWS keys, Slack tokens, SSO cookies.
step 4 / 5
npm typosquat → developer workstation → corporate VPN
Publish a typosquat npm package; the developer's `npm install` runs the postinstall script, exfils SSH keys + VPN profile, then connects to the corporate network.
step 4 / 6
SSRF → IMDS → cloud creds → lateral
An image-fetcher / link-preview endpoint fetches attacker-controlled URLs server-side. Pivot to the cloud metadata service and steal the instance role credentials.
step 4 / 6
Evil maid → sniff TPM unseal → decrypt BitLocker offline
Brief physical access to a TPM-only BitLocker laptop. Plug a logic analyser onto the LPC / SPI bus; capture the FVEK as the TPM unseals it at boot. Take the disk home, decrypt offline.
step 5 / 6
FortiGate SSL-VPN pre-auth RCE → config theft
Pre-auth heap overflow / format-string against FortiGate sslvpnd grants root on the appliance. Pull the running config, decrypt stored RADIUS / LDAP / VPN-user secrets.
step 5 / 6
Open ADB on the network → device shell
An IoT / dev device left adbd listening on TCP/5555 — anyone on the LAN runs `adb connect` and gets a shell as the shell user, including pulling user data.
step 5 / 5
TCC bypass → access Photos / Camera without consent
Inject into a process that already has Full Disk Access (e.g. backup utility, Terminal). Inherited TCC entitlement lets the attacker code read TCC-gated data — Photos, iMessage DB, Documents.
step 5 / 5
Exported ContentProvider → private data leak
App exports a ContentProvider for legitimate inter-app integration but forgets to enforce grantUri / signature permissions — a rogue installed app reads private auth tokens.
step 5 / 6
Privileged pod escape → cluster admin
GenericWrite on a Deployment in the kube-system namespace lets you launch a privileged pod; the pod mounts the host filesystem and steals the kubeconfig of cluster-admin.
step 5 / 7
XXE → SSRF → IMDS → cloud creds
XML parser configured with external entities resolution. Use XXE to make the server hit IMDS and exfiltrate cloud credentials via DTD trickery.
step 5 / 6
Spring4Shell (CVE-2022-22965) → JSP webshell on Tomcat
Send a crafted POST that uses Spring's data-binding to mutate Tomcat's logging configuration — turn its access log into a JSP file written under webapps/, then request it.
step 6 / 6
Spectre-class side-channel → cross-tenant memory leak
Pre-mitigation cloud VM lets a co-tenant trigger speculative loads from kernel / sibling-VM memory. Cache-side-channel measurements recover sensitive data, including TLS keys + cloud creds.
step 6 / 6

§ What commonly comes next

01
Valid Accounts
T1078 · Initial Access
seen 5×
02
Exfiltration Over C2 Channel
T1041 · Exfiltration
seen 3×
03
S3 / Blob / GCS Mass Exfil
C-S3-EXFIL · Collection
seen 2×
04
Account Discovery
T1087 · Discovery
seen 1×
05
Modify Authentication Process
T1556 · Credential Access
seen 1×
06
Password Spraying
T1110.003 · Credential Access
seen 1×
07
Steal Web Session Cookie
T1539 · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

WAF SSRF → IMDS → S3 mass exfil (Capital One 2019)

SNMPv2c write-community → router config exfil → cred sprays

Exposed etcd → cluster-wide secret raid

Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

Apache Struts S2-045 (CVE-2017-5638) → Equifax-style breach

F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB

User foothold → keychain dump → cloud creds

npm typosquat → developer workstation → corporate VPN

SSRF → IMDS → cloud creds → lateral

Evil maid → sniff TPM unseal → decrypt BitLocker offline

FortiGate SSL-VPN pre-auth RCE → config theft

Open ADB on the network → device shell

TCC bypass → access Photos / Camera without consent

Exported ContentProvider → private data leak

Privileged pod escape → cluster admin

XXE → SSRF → IMDS → cloud creds

Spring4Shell (CVE-2022-22965) → JSP webshell on Tomcat

Spectre-class side-channel → cross-tenant memory leak

§ What commonly comes next