Credential Access
What is Credential Access?
Credential AccessThe MITRE ATT&CK tactic (TA0006) that covers techniques used to steal account names, passwords, tokens, and other secrets.
Credential Access (MITRE ATT&CK tactic TA0006) groups techniques that adversaries use to obtain credentials they can reuse to authenticate as legitimate users. Examples include dumping LSASS memory with tools like Mimikatz, extracting NTDS.dit from a domain controller, reading the Windows registry SAM/SECURITY hives, harvesting browser-stored passwords, kerberoasting, AS-REP roasting, capturing NTLM hashes via responder, reading cloud-provider tokens from disk, phishing for MFA codes, and abusing OAuth consent. Stolen credentials enable lateral movement, persistence, and privilege escalation, often without triggering malware-based detections. Defenders rely on credential guard, LSA protection, strong MFA, tiered admin models, password vaulting, anomalous-logon detection, and immediate revocation when compromise is suspected.
● Examples
- 01
Running Mimikatz to extract plaintext credentials from a Windows server's LSASS process.
- 02
Performing a kerberoasting attack to crack offline the TGS for a service account.
● Frequently asked questions
What is Credential Access?
The MITRE ATT&CK tactic (TA0006) that covers techniques used to steal account names, passwords, tokens, and other secrets. It belongs to the Defense & Operations category of cybersecurity.
What does Credential Access mean?
The MITRE ATT&CK tactic (TA0006) that covers techniques used to steal account names, passwords, tokens, and other secrets.
How does Credential Access work?
Credential Access (MITRE ATT&CK tactic TA0006) groups techniques that adversaries use to obtain credentials they can reuse to authenticate as legitimate users. Examples include dumping LSASS memory with tools like Mimikatz, extracting NTDS.dit from a domain controller, reading the Windows registry SAM/SECURITY hives, harvesting browser-stored passwords, kerberoasting, AS-REP roasting, capturing NTLM hashes via responder, reading cloud-provider tokens from disk, phishing for MFA codes, and abusing OAuth consent. Stolen credentials enable lateral movement, persistence, and privilege escalation, often without triggering malware-based detections. Defenders rely on credential guard, LSA protection, strong MFA, tiered admin models, password vaulting, anomalous-logon detection, and immediate revocation when compromise is suspected.
How do you defend against Credential Access?
Defences for Credential Access typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Credential Access?
Common alternative names include: Credential theft, TA0006.
● Related terms
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- defense-ops№ 682
Mimikatz
An open-source Windows post-exploitation tool that extracts plaintext passwords, hashes, Kerberos tickets, and other credentials from memory and LSASS.
- malware№ 231
Credential Stealer
Malware focused specifically on extracting passwords, hashes, and authentication tokens from an infected system or its memory.
- defense-ops№ 606
Lateral Movement
The MITRE ATT&CK tactic (TA0008) covering techniques that let an attacker pivot from one compromised host to others across the environment.
- identity-access№ 013
Active Directory
Microsoft's enterprise directory service for Windows networks, providing centralized authentication, authorization, and policy management for users, computers, and resources.
- identity-access№ 076
Authentication
The process of verifying that an entity — user, device or service — really is who or what it claims to be before granting access.
● See also
- № 790Pass-the-Hash
- № 583Kerberoasting