Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.
Tactic Overview
Tactic ID: TA0006 — Matrix: Enterprise — Techniques: 17
The Credential Access tactic represents a phase in the adversary lifecycle where the adversary is trying to steal account names and passwords. This tactic is part of the MITRE ATT&CK Enterprise matrix and encompasses 17 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (17)
The following techniques are categorized under the Credential Access tactic in the MITRE ATT&CK Enterprise matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T1557 | Adversary-in-the-Middle (3 sub-techniques) | Adversaries position themselves between network communications to intercept and relay data, enabling credential capture and session hijacking. | T1557 |
T1110 | Brute Force (4 sub-techniques) | Adversaries systematically guess credentials through password spraying, credential stuffing, and dictionary attacks to gain unauthorized access. | T1110 |
T1555 | Credentials from Password Stores (5 sub-techniques) | Adversaries search password stores including browsers, password managers, and keychains to obtain stored credentials. | T1555 |
T1212 | Exploitation for Credential Access | Adversaries exploit software vulnerabilities to access credential material stored in memory or on disk. | T1212 |
T1187 | Forced Authentication | Adversaries force systems to automatically send authentication information (NTLM hashes) that can be intercepted and cracked. | T1187 |
T1606 | Forge Web Credentials (4 sub-techniques) | Adversaries forge web session cookies, SAML tokens, or other web credentials to gain unauthorized access without valid passwords. | T1606 |
T1056 | Input Capture (4 sub-techniques) | Adversaries capture user input through keylogging, GUI input capture, web portals, or credential API hooking to steal credentials. | T1056 |
T1556 | Modify Authentication Process (9 sub-techniques) | Adversaries modify authentication mechanisms to bypass credentials and access accounts, including password filter DLLs and pluggable authentication modules. | T1556 |
T1111 | Multi-Factor Authentication Interception | Adversaries intercept MFA mechanisms including hardware tokens, push notifications, and OTP codes to bypass multi-factor controls. | T1111 |
T1621 | Multi-Factor Authentication Request Generation | Adversaries bombard users with MFA push requests (MFA fatigue/prompt bombing) until the user approves a fraudulent login. | T1621 |
T1040 | Network Sniffing | Adversaries sniff network traffic to capture credentials and sensitive data transmitted over the network. | T1040 |
T1003 | OS Credential Dumping (8 sub-techniques) | Adversaries dump credentials from OS memory (LSASS), registry (SAM), Active Directory (NTDS), and Linux password files. Used extensively by APT28, APT29, APT32, APT39, and credential tools like Mimikatz. | T1003 |
T1528 | Steal Application Access Token | Adversaries steal application access tokens (OAuth, API keys) to impersonate users and access protected resources. | T1528 |
T1649 | Steal or Forge Authentication Certificates | Adversaries steal or forge certificates (Active Directory Certificate Services) for authentication without credentials. | T1649 |
T1558 | Steal or Forge Kerberos Tickets (4 sub-techniques) | Adversaries steal or forge Kerberos tickets (Golden Ticket, Silver Ticket, Kerberoasting) for lateral movement and persistence. | T1558 |
T1539 | Steal Web Session Cookie | Adversaries steal web session cookies to hijack authenticated sessions without needing credentials. | T1539 |
T1552 | Unsecured Credentials (8 sub-techniques) | Adversaries search for credentials stored insecurely in files, registries, cloud metadata, and configuration data. | T1552 |
Key Technique Deep Dives
The following techniques are among the most commonly observed in real-world attacks within this tactic:
Real-World Usage
- APT28: Deployed Mimikatz and custom password retrieval utilities
- APT29: Credential harvesting during SolarWinds compromise
- APT39: Multiple Mimikatz variants targeting credential stores
- Mustang Panda: Used Hdump utility for memory credential extraction
- Storm-0501: Impacket SecretsDump module for account extraction
Key Mitigations
- M1043 - Credential Access Protection: Implement Windows Defender Credential Guard
- M1040 - Behavior Prevention on Endpoint: Enable ASR rules protecting LSASS
- M1025 - Privileged Process Integrity: Enable Protected Process Light for LSA
- M1028 - Operating System Configuration: Disable NTLM and WDigest authentication
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- Multi-factor authentication
- Credential Guard
- Password policies
- Privileged Access Workstations
- Monitor for credential dumping tools
Detection Strategies
Effective detection of Credential Access techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Credential Access tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Credential Access Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026