Suspicious access to cloud credential files

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2025-04-07
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

10 Minutes

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Cloud

Detector Tags

Cloud Lateral Movement Analytics

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Credentials In Files (T1552.001)

Severity

Informational

Description

A process accessed multiple cloud credential files, which may indicate a credential theft activity.

Attacker's Goals

Gain initial access to the cloud environment.

Investigative actions

  • Verify if the executing process is doing more suspicious activities.
  • Verify if the exposed credential files were used to access to the cloud environment.
  • Verify which operations were used against the cloud environment with the exposed credentials.

Variations

Suspicious access to cloud credential files of various cloud providers within a cloud instance

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Credentials In Files (T1552.001)

Severity

Low

Description

A process accessed multiple cloud credential files, which may indicate a credential theft activity.

Attacker's Goals

Gain initial access to the cloud environment.

Investigative actions

  • Verify if the executing process is doing more suspicious activities.
  • Verify if the exposed credential files were used to access to the cloud environment.
  • Verify which operations were used against the cloud environment with the exposed credentials.


Suspicious access to cloud credential files within a cloud instance

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Credentials In Files (T1552.001)

Severity

Informational

Description

A process accessed multiple cloud credential files, which may indicate a credential theft activity.

Attacker's Goals

Gain initial access to the cloud environment.

Investigative actions

  • Verify if the executing process is doing more suspicious activities.
  • Verify if the exposed credential files were used to access to the cloud environment.
  • Verify which operations were used against the cloud environment with the exposed credentials.


Suspicious access to Windows cloud credential files of various cloud providers

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Credentials In Files (T1552.001)

Severity

Medium

Description

A process accessed multiple cloud credential files, which may indicate a credential theft activity.

Attacker's Goals

Gain initial access to the cloud environment.

Investigative actions

  • Verify if the executing process is doing more suspicious activities.
  • Verify if the exposed credential files were used to access to the cloud environment.
  • Verify which operations were used against the cloud environment with the exposed credentials.


Suspicious access to Windows cloud credential files by an unusual process

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Credentials In Files (T1552.001)

Severity

Low

Description

A process accessed multiple cloud credential files, which may indicate a credential theft activity.

Attacker's Goals

Gain initial access to the cloud environment.

Investigative actions

  • Verify if the executing process is doing more suspicious activities.
  • Verify if the exposed credential files were used to access to the cloud environment.
  • Verify which operations were used against the cloud environment with the exposed credentials.


Suspicious access to cloud credential files of various cloud providers

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Credentials In Files (T1552.001)

Severity

Medium

Description

A process accessed multiple cloud credential files, which may indicate a credential theft activity.

Attacker's Goals

Gain initial access to the cloud environment.

Investigative actions

  • Verify if the executing process is doing more suspicious activities.
  • Verify if the exposed credential files were used to access to the cloud environment.
  • Verify which operations were used against the cloud environment with the exposed credentials.


Suspicious access to cloud credential files by an unusual process

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Credentials In Files (T1552.001)

Severity

Low

Description

A process accessed multiple cloud credential files, which may indicate a credential theft activity.

Attacker's Goals

Gain initial access to the cloud environment.

Investigative actions

  • Verify if the executing process is doing more suspicious activities.
  • Verify if the exposed credential files were used to access to the cloud environment.
  • Verify which operations were used against the cloud environment with the exposed credentials.