AWS GetAuthorizationToken
Retrieves an ECR authorization token for Docker image operations, seen in container escape and lateral movement chains.
T1552: Unsecured Credentials
T1552: Unsecured Credentials
Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g.
View on MITRE ATT&CK →AWS GetParameters
Retrieves one or more parameters from AWS Systems Manager Parameter Store, optionally decrypting SecureString values.
AWS GetPasswordData
Retrieves the encrypted Windows administrator password for a newly launched EC2 Windows instance.
AWS GetSecretValue
Retrieves the plaintext value of a secret stored in AWS Secrets Manager.
Azure Microsoft.AppConfiguration/configurationStores/listKeys/action
Lists the access keys for an Azure App Configuration store, exposing credentials used to read or write configuration data.
Azure Microsoft.Automation/automationAccounts/credentials/read
Reads credential assets stored in an Azure Automation account, potentially exposing sensitive authentication data.
Azure Microsoft.Batch/batchAccounts/listKeys/action
Lists the access keys for an Azure Batch account, exposing credentials used to authenticate Batch API calls.
Azure Microsoft.ContainerRegistry/registries/listCredentials/action
Lists the admin credentials for an Azure Container Registry, exposing the username and password for registry access.
Azure Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action
Retrieves the cluster-admin kubeconfig for an AKS cluster, granting full administrative access to the cluster.
Azure Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
Retrieves the user-level kubeconfig for an AKS cluster.
Azure Microsoft.KeyVault/vaults/certificates/read
Reads a certificate stored in an Azure Key Vault.
Azure Microsoft.KeyVault/vaults/keys/read
Reads a cryptographic key from an Azure Key Vault.
Azure Microsoft.KeyVault/vaults/secrets/read
Reads a secret value from an Azure Key Vault.
Azure Microsoft.OperationalInsights/workspaces/sharedKeys/action
Retrieves the primary and secondary access keys for a Log Analytics workspace.
Azure Microsoft.ServiceBus/namespaces/authorizationRules/listKeys/action
Lists the access keys for an Azure Service Bus namespace authorization rule, exposing connection strings for messaging.
Azure Microsoft.Storage/storageAccounts/listKeys/action
Lists the access keys for an Azure Storage account, exposing credentials that provide full data-plane access.
Azure Microsoft.Web/sites/host/listKeys/action
Lists the host keys for an Azure App Service or Azure Functions app, exposing function-level and master access keys.
GCP SecretManagerService.AccessSecretVersion
Retrieves the plaintext value of a specific secret version from GCP Secret Manager.