Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0307: Detect Access to Unsecured Credential Files Across Platforms

DET0307 is a detection strategy for finding access to unsecured credential files. Its business significance is that credentials left in configuration files...

EnterpriseDET0307Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0307 is a detection strategy for finding access to unsecured credential files. Its business significance is that credentials left in configuration files, source code, backups, saved virtual machines, shared stores, or user-created files can turn a single host or repository exposure into broader account, service, or cloud access. Leaders should treat this as both a detection engineering problem and a credential hygiene problem: the best outcome is not only alerting on access, but reducing where these files exist and proving that sensitive locations are monitored.

Executive priority

Prioritize this where Linux, macOS, container, and IaaS environments support critical services or privileged automation. The related ATT&CK technique is Credential Access: Credentials In Files (T1552.001), so coverage affects incident containment speed, identity risk, cloud security readiness, and audit evidence for secrets handling. Executives should ask whether the organization knows where credentials are stored insecurely, whether access to those locations is logged, and whether exposed credentials can be rotated quickly during an incident.

Technical view

The supplied detection object has no official detection text, platforms, or tactics, so validation should be driven by the related technique context: detecting access to files that may contain insecurely stored credentials across Containers, IaaS, Linux, and macOS. SOC and detection teams should confirm visibility into file reads, searches, and process activity around known credential-bearing locations such as configuration files, source code paths, shared credential stores, backups, and saved virtual machine artifacts. IR teams should pair any detection with scoping for credential exposure and follow-on use, not just the initial file access event.

Likely telemetry

  • Endpoint file access events for sensitive files, directories, configuration paths, source repositories, backups, and saved VM artifacts
  • Process execution and command-line telemetry showing searches or reads of files likely to contain credentials
  • File share or repository access logs where shared credential stores, source code, or configuration files are accessible
  • Container host or workload telemetry for access to mounted secrets, configuration files, or credential-like files
  • IaaS audit or workload logs that can show access to credential-bearing files or storage locations

Detection direction

  • Start by inventorying known credential-bearing file types and locations; detections without this context are likely to be noisy or incomplete.
  • Validate that file access telemetry is actually enabled on the relevant Linux, macOS, container, and IaaS workloads referenced by the related technique.
  • Tune for unusual access patterns: unexpected users, processes, workloads, or service accounts reading credential-like files, configuration files, backups, saved VM files, or source code containing secrets.
  • Correlate file access with process execution so routine application reads can be distinguished from interactive shell activity, bulk searching, or access by unusual tooling.
  • Expect false positives from administrators, backup agents, deployment tools, scanners, and applications that legitimately read configuration or secret material; document expected access paths.

Mitigation priorities

  • Reduce the number of unsecured credential files by moving secrets out of user-created files, source code, and configuration files where practical.
  • Apply least-privilege permissions to credential-bearing files, shared stores, backups, and saved virtual machine artifacts.
  • Use secrets discovery and review processes to identify credentials embedded in source code, binaries, configuration files, and backups.
  • Ensure credential rotation procedures are ready for cases where file access indicates possible exposure.
  • Preserve audit evidence showing where sensitive credential files are located, who can access them, and which telemetry sources monitor access.
Analyst notes and limits

This take is based on the DET0307 name, external reference, and its relationship to T1552.001 Credentials In Files. The detection object itself does not provide official detection logic, so local implementation must define sensitive paths, expected access patterns, and environment-specific logging controls.

ATT&CK fields for this detection strategy are sparse: no official description, no official detection guidance, no object-level platforms, and no object-level tactics are provided. Platform and tactic context comes only from the related T1552.001 technique. This does not establish active exploitation, adversary attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Detect Access to Unsecured Credential Files Across Platforms

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1552.001 Credentials In Files Sub-technique This object detects Credentials In Files.
Relationship explorer

All related ATT&CK context

detects · Technique T1552.001: Credentials In Files Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e01492962a7f2cf7...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e01492962a7f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0307
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use