Credential Access (17 techniques)
Stealing credentials such as account names and passwords.
The Credential Access tactic groups MITRE ATT&CK techniques used by adversaries tostealing credentials such as account names and passwords. Each technique below has its own page with detection guidance, platforms, and sub-techniques.
- T1003 — OS Credential DumpingLinux, macOS, Windows
- T1040 — Network SniffingIaaS, Linux, macOS, Network Devices, Windows
- T1056 — Input CaptureLinux, macOS, Network Devices, Windows
- T1110 — Brute ForceContainers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows
- T1111 — Multi-Factor Authentication InterceptionLinux, macOS, Windows
- T1187 — Forced AuthenticationWindows
- T1212 — Exploitation for Credential AccessLinux, Windows, macOS, Identity Provider
- T1528 — Steal Application Access TokenContainers, IaaS, Identity Provider, Office Suite, SaaS
- T1539 — Steal Web Session CookieLinux, macOS, Office Suite, SaaS, Windows
- T1552 — Unsecured CredentialsWindows, SaaS, IaaS, Linux, macOS, Containers, Network Devices, Office Suite, Identity Provider
- T1555 — Credentials from Password StoresIaaS, Linux, macOS, Windows
- T1556 — Modify Authentication ProcessIaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows
- T1557 — Adversary-in-the-MiddleLinux, macOS, Network Devices, Windows
- T1558 — Steal or Forge Kerberos TicketsLinux, macOS, Windows
- T1606 — Forge Web CredentialsSaaS, Windows, macOS, Linux, IaaS, Office Suite, Identity Provider
- T1621 — Multi-Factor Authentication Request GenerationWindows, Linux, macOS, IaaS, SaaS, Office Suite, Identity Provider
- T1649 — Steal or Forge Authentication CertificatesWindows, Linux, macOS, Identity Provider
Detection engineering training, taught by practitioners.
Learn how to build real detections across the MITRE ATT&CK framework.
View Courses