Credential Access (17 techniques)

The Credential Access tactic groups MITRE ATT&CK techniques used by adversaries to stealing credentials such as account names and passwords. Each technique below has its own page with detection guidance, platforms, and sub-techniques.

• T1003 — OS Credential Dumping
  Linux, macOS, Windows
• T1040 — Network Sniffing
  IaaS, Linux, macOS, Network Devices, Windows
• T1056 — Input Capture
  Linux, macOS, Network Devices, Windows
• T1110 — Brute Force
  Containers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows
• T1111 — Multi-Factor Authentication Interception
  Linux, macOS, Windows
• T1187 — Forced Authentication
  Windows
• T1212 — Exploitation for Credential Access
  Linux, Windows, macOS, Identity Provider
• T1528 — Steal Application Access Token
  Containers, IaaS, Identity Provider, Office Suite, SaaS
• T1539 — Steal Web Session Cookie
  Linux, macOS, Office Suite, SaaS, Windows
• T1552 — Unsecured Credentials
  Windows, SaaS, IaaS, Linux, macOS, Containers, Network Devices, Office Suite, Identity Provider
• T1555 — Credentials from Password Stores
  IaaS, Linux, macOS, Windows
• T1556 — Modify Authentication Process
  IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows
• T1557 — Adversary-in-the-Middle
  Linux, macOS, Network Devices, Windows
• T1558 — Steal or Forge Kerberos Tickets
  Linux, macOS, Windows
• T1606 — Forge Web Credentials
  SaaS, Windows, macOS, Linux, IaaS, Office Suite, Identity Provider
• T1621 — Multi-Factor Authentication Request Generation
  Windows, Linux, macOS, IaaS, SaaS, Office Suite, Identity Provider
• T1649 — Steal or Forge Authentication Certificates
  Windows, Linux, macOS, Identity Provider