Unsecured Credentials (T1552)
Users are lazy. They save passwords in files.
1. Credentials in Files
Searching file shares for gold.
- Command:
findstr /s /i "password" *.xml *.ini *.txt - Targets:
web.config,unattend.xml(Windows Install),id_rsa(SSH Keys).
2. Group Policy Preferences (GPP)
Legacy issue (MS14-025). Domain Admins used to push local admin passwords via GPO.
- The password is encrypted with a publicly known AES key.
- Attack: Read the
Groups.xmlin SYSVOL, decrypt thecpasswordfield.
3. Shell History
- Linux:
~/.bash_historyoften containsmysql -u root -pPassword123. - PowerShell:
(Get-PSReadlineOption).HistorySavePathcontains typed commands.
