Loading AttackTrace...
ATT&CK tactic
67 techniques mapped to this tactic.
OS Credential Dumping (T1003) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password.
The Local Security Authority Subsystem Service (lsass.exe) enforces Windows security policy and processes authentication. Depending on system configuration and active sessions, its memory may contain credential material useful for lateral movement or privilege escalation. Adve…
Security Account Manager (T1003.002) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in memory techniques or through the Windows Registry wher…
NTDS (T1003.003) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such a…
LSA Secrets (T1003.004) is a MITRE ATT&CK technique associated with Credential Access . Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for…
Cached Domain Credentials (T1003.005) is a MITRE ATT&CK technique associated with Credential Access . On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS Cache v2 hash. The number of default cached credentials varies…
DCSync abuses Active Directory replication rights to request password derived data as though the requester were a domain controller. The request can originate from a non domain controller system and may expose high impact credential material, including data associated with pri…
Proc Filesystem (T1003.007) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may gather credentials from the proc filesystem or /proc.
/etc/passwd and /etc/shadow (T1003.008) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may attempt to dump the contents of <code /etc/passwd</code and <code /etc/shadow</code to enable offline password cracking.
Network Sniffing (T1040) is a MITRE ATT&CK technique associated with Credential Access, Discovery . Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.
Input Capture (T1056) is a MITRE ATT&CK technique associated with Collection, Credential Access . Adversaries may use methods of capturing user input to obtain credentials or collect information.
Keylogging (T1056.001) is a MITRE ATT&CK technique associated with Collection, Credential Access . Adversaries may log user keystrokes to intercept credentials as the user types them.
GUI Input Capture (T1056.002) is a MITRE ATT&CK technique associated with Collection, Credential Access . Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt.
Web Portal Capture (T1056.003) is a MITRE ATT&CK technique associated with Collection, Credential Access . Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service.
Credential API Hooking (T1056.004) is a MITRE ATT&CK technique associated with Collection, Credential Access . Adversaries may hook into Windows application programming interface (API) functions and Linux system functions to collect user credentials.
Brute Force (T1110) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of…
Password Guessing (T1110.001) is a MITRE ATT&CK technique associated with Credential Access . Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Password Cracking (T1110.002) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained.
Password Spraying (T1110.003) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials.
Credential Stuffing (T1110.004) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap.
Multi Factor Authentication Interception (T1111) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may target multi factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to a…
Forced Authentication (T1187) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
Exploitation for Credential Access (T1212) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
Steal Application Access Token (T1528) is a MITRE ATT&CK technique associated with Credential Access . Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Steal Web Session Cookie (T1539) is a MITRE ATT&CK technique associated with Credential Access . An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing cred…
Unsecured Credentials (T1552) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Credentials In Files (T1552.001) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Credentials in Registry (T1552.002) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may search the Registry on compromised systems for insecurely stored credentials.
Shell History (T1552.003) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may search the command history on compromised systems for insecurely stored credentials.
Private Keys (T1552.004) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials.
Cloud Instance Metadata API (T1552.005) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Group Policy Preferences (T1552.006) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP).
Container API (T1552.007) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may gather credentials via APIs within a containers environment.
Chat Messages (T1552.008) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may directly collect unsecured credentials stored or passed through user communication services.
Credentials from Password Stores (T1555) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating syst…
Keychain (T1555.001) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may acquire credentials from Keychain.
Securityd Memory (T1555.002) is a MITRE ATT&CK technique associated with Credential Access . An adversary with root access may gather credentials by reading securityd’s memory.
Credentials from Web Browsers (T1555.003) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and…
Windows Credential Manager (T1555.004) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may acquire credentials from the Windows Credential Manager.
Password Managers (T1555.005) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may acquire user credentials from third party password managers. Password managers are applications designed to store user credentials, normally in an encrypted database.
Cloud Secrets Management Stores (T1555.006) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may acquire credentials from cloud native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault.
Modify Authentication Process (T1556) is a MITRE ATT&CK technique associated with Defense Impairment, Persistence, Credential Access . Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts.
Domain Controller Authentication (T1556.001) is a MITRE ATT&CK technique associated with Defense Impairment, Persistence, Credential Access . Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable acce…
Password Filter DLL (T1556.002) is a MITRE ATT&CK technique associated with Defense Impairment, Persistence, Credential Access . Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they…
Pluggable Authentication Modules (T1556.003) is a MITRE ATT&CK technique associated with Defense Impairment, Persistence, Credential Access . Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to acco…
Network Device Authentication (T1556.004) is a MITRE ATT&CK technique associated with Defense Impairment, Persistence, Credential Access . Adversaries may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms…
Reversible Encryption (T1556.005) is a MITRE ATT&CK technique associated with Defense Impairment, Persistence, Credential Access . An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems.
Multi Factor Authentication (T1556.006) is a MITRE ATT&CK technique associated with Defense Impairment, Persistence, Credential Access . Adversaries may disable or modify multi factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.
Hybrid Identity (T1556.007) is a MITRE ATT&CK technique associated with Defense Impairment, Persistence, Credential Access . Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on premises user identities in order to bypass typi…
Network Provider DLL (T1556.008) is a MITRE ATT&CK technique associated with Defense Impairment, Persistence, Credential Access . Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication p…
Conditional Access Policies (T1556.009) is a MITRE ATT&CK technique associated with Defense Impairment, Persistence, Credential Access . Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts.
Adversary in the Middle (T1557) is a MITRE ATT&CK technique associated with Credential Access, Collection . Adversaries may attempt to position themselves between two or more networked devices using an adversary in the middle (AiTM) technique to support follow on behaviors suc…
Name Resolution Poisoning and SMB Relay (T1557.001) is a MITRE ATT&CK technique associated with Credential Access, Collection . By responding to LLMNR/NBT NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an…
ARP Cache Poisoning (T1557.002) is a MITRE ATT&CK technique associated with Credential Access, Collection . Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices.
DHCP Spoofing (T1557.003) is a MITRE ATT&CK technique associated with Credential Access, Collection . Adversaries may redirect network traffic to adversary owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the…
Evil Twin (T1557.004) is a MITRE ATT&CK technique associated with Credential Access, Collection . By using a Service Set Identifier (SSID) of a legitimate Wi Fi network, fraudulent Wi Fi access points may trick devices or users into connecting to malicious Wi Fi networks. Adve…
Steal or Forge Kerberos Tickets (T1558) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket.
Golden Ticket (T1558.001) is a MITRE ATT&CK technique associated with Credential Access . Using a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources.
Silver Ticket (T1558.002) is a MITRE ATT&CK technique associated with Credential Access . Adversaries who have the password hash of a target service account (e.g.
Kerberoasting obtains Kerberos service tickets for accounts with service principal names and attempts to recover their passwords offline. Any authenticated domain user can normally request tickets for accessible services, so the request itself is legitimate. Risk arises when a…
AS REP Roasting (T1558.004) is a MITRE ATT&CK technique associated with Credential Access . Preauthentication offers protection against offline Password Cracking.
Ccache Files (T1558.005) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may attempt to steal Kerberos tickets stored in credential cache files (or ccache).
Forge Web Credentials (T1606) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
Web Cookies (T1606.001) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may forge web cookies that can be used to gain access to web applications or Internet services.
SAML Tokens (T1606.002) is a MITRE ATT&CK technique associated with Credential Access . An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token signing certificate. The default lifetime of a SAML token is one hour, but th…
Multi Factor Authentication Request Generation (T1621) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may attempt to bypass multi factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
Steal or Forge Authentication Certificates (T1649) is a MITRE ATT&CK technique associated with Credential Access . Adversaries may steal or forge certificates used for authentication to access remote systems or resources.