Credential Access (17 techniques)
Stealing credentials such as account names and passwords.
The Credential Access tactic groups MITRE ATT&CK techniques used by adversaries tostealing credentials such as account names and passwords. Each technique below has its own page with detection guidance, platforms, and sub-techniques.
- T1003 - OS Credential DumpingLinux, macOS, Windows
- T1040 - Network SniffingIaaS, Linux, macOS, Network Devices, Windows
- T1056 - Input CaptureLinux, macOS, Network Devices, Windows
- T1110 - Brute ForceContainers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows
- T1111 - Multi-Factor Authentication InterceptionLinux, macOS, Windows
- T1187 - Forced AuthenticationWindows
- T1212 - Exploitation for Credential AccessLinux, Windows, macOS, Identity Provider
- T1528 - Steal Application Access TokenContainers, IaaS, Identity Provider, Office Suite, SaaS
- T1539 - Steal Web Session CookieLinux, macOS, Office Suite, SaaS, Windows
- T1552 - Unsecured CredentialsWindows, SaaS, IaaS, Linux, macOS, Containers, Network Devices, Office Suite, Identity Provider
- T1555 - Credentials from Password StoresIaaS, Linux, macOS, Windows
- T1556 - Modify Authentication ProcessIaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows
- T1557 - Adversary-in-the-MiddleLinux, macOS, Network Devices, Windows
- T1558 - Steal or Forge Kerberos TicketsLinux, macOS, Windows
- T1606 - Forge Web CredentialsSaaS, Windows, macOS, Linux, IaaS, Office Suite, Identity Provider
- T1621 - Multi-Factor Authentication Request GenerationWindows, Linux, macOS, IaaS, SaaS, Office Suite, Identity Provider
- T1649 - Steal or Forge Authentication CertificatesWindows, Linux, macOS, Identity Provider
Detection engineering training, taught by practitioners.
Learn how to build real detections across the MITRE ATT&CK framework.
View Courses