ATAGS Tactic: Credential Access
| ID | Name | Description | |
| ATAGS-T1111 | Adversary in the Middle | Threat actors may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique. | |
| .001 | Lower Orbit Satellites, or Drones | Threat Actors can take advantage of a drone or any satellite located between the target and the ground station to sniff the communication link. | |
| .002 | ARP Cache Poisoning | Threat Actors may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. | |
| .003 | DHCP Spoofing | Threat Actors may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, Threat Actors may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. | |
| .004 | Evil Twin | Threat Actors may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of supporting follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or Input Capture. | |
| .005 | LLMNR/NBT-NS Poisoning and SMB Relay | By responding to LLMNR/NBT-NS network traffic, Threat Actors may spoof an authoritative source for name resolution to force communication with Threat Actors controlled system. This activity may be used to collect or relay authentication materials. | |
| .006 | Unauthenticated gateway or unauthenticated interplanetary node | If unauthenticated gateways or unauthenticated interplanetary nodes are used, Threat Actors can substitute them with an own resource, to collect or modify transmitted data. | |
| .007 | Satellite constellation | A satellite with stolen credential can take place into a dynamic constellation and collect data. | |
| ATAGS-T1112 | Brute Force | Threat actors may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes. | |
| .001 | TC Brute Forcing | Threat Actors can use brute force to gain access to a TC channel, to force encryption or to guess the valid commands. | |
| .002 | Credential Stuffing | Threat Actors may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to Threat Actors attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts. | |
| .003 | Password Cracking | Threat Actors may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, this may only get Threat Actors so far when Pass the Hash is not an option. Further, Threat Actors may leverage Data from Configuration Repository in order to obtain hashed credentials for network devices. | |
| .004 | Password Guessing | Threat Actors with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, Threat Actors may opt to systematically guess the password using a repetitive or iterative mechanism. Threat Actors may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts. | |
| .005 | Password Spraying | Threat Actors may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. | |
| ATAGS-T1113 | Credentials from Password Stores | Threat actors may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information. | |
| .001 | Cloud Secrets Management Stores | Threat Actors may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault. | |
| .002 | Credentials from Web Browsers | Threat Actors may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers. | |
| .003 | Keychain | Threat Actors may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service. | |
| .004 | Password Managers | Threat Actors may acquire user credentials from third-party password managers. Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk. | |
| .005 | Securityd Memory | Threat Actors with root access may gather credentials by reading securityd’s memory. securityd is a service/daemon responsible for implementing security protocols such as encryption and authorization. A privileged adversary may be able to scan through securityd's memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc. | |
| .006 | Windows Credential Manager | Threat Actors may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults). | |
| ATAGS-T1114 | Exploitation for Credential Access | Threat actors may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. | |
| ATAGS-T1115 | Forced Authentication | Threat actors may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept. | |
| ATAGS-T1116 | Forge Web Credentials | Threat actors may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access. | |
| .001 | SAML Tokens | Threat Actors may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate. The default lifetime of a SAML token is one hour, but the validity period can be specified in the NotOnOrAfter value of the conditions ... element in a token. This value can be changed using the AccessTokenLifetime in a LifetimeTokenPolicy. Forged SAML tokens enable Threat Actors to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism. | |
| .002 | Web Cookies | Threat Actors may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access. | |
| ATAGS-T1117 | Input Capture | Threat actors may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture). | |
| .001 | Credential API Hooking | Threat Actors may hook into Windows application programming interface (API) functions and Linux system functions to collect user credentials. Malicious hooking mechanisms may capture API or function calls that include parameters that reveal user authentication credentials. Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials. | |
| .002 | GUI Input Capture | Threat Actors may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Account Control). | |
| .003 | Keylogging | Threat Actors may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require Threat Actors to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, Threat Actors may also perform actions such as clearing browser cookies to force users to reauthenticate to systems. | |
| .004 | Web Portal Capture | Threat Actors may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service. | |
| ATAGS-T1055 | Modify Authentication Process | Threat actors may modify the internal authentication process of the victim ground station to facilitate initial access, recurring execution, or prevent authorized entities from accessing the ground station. This can be done through the modification of the software binaries or memory manipulation techniques. | |
| .001 | Domain Controller Authentication | Threat Actors may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. | |
| .002 | Multi-Factor Authentication | Threat Actors may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. | |
| .003 | Network Device Authentication | Threat Actors may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. | |
| .004 | Network Provider DLL | Threat Actors may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions. During the logon process, Winlogon (the interactive logon module) sends credentials to the local mpnotify.exe process via RPC. The mpnotify.exe process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening. | |
| .005 | Password Filter DLL | Threat Actors may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. | |
| .006 | Pluggable Authentication Modules | Threat Actors may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow. | |
| .007 | Reversible Encryption | An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it. | |
| .008 | Conditional Access Policies | Threat Actors may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource. | |
| .009 | Hybrid Identity | Threat Actors may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. | |
| ATAGS-T1118 | Multi-Factor Authentication Interception | Threat actors may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. | |
| ATAGS-T1119 | Multi-Factor Authentication Request Generation | Threat actors may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users. | |
| ATAGS-T1120 | Network Sniffing | Threat actors may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. | |
| ATAGS-T1121 | OS Credential Dumping | Threat actors may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures. Credentials can then be used to perform Lateral Movement and access restricted information. | |
| .001 | /etc/passwd and /etc/shadow | Threat Actors may attempt to dump the contents of /etc/passwdand /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information, including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user. | |
| .002 | Cached Domain Credentials | Threat Actors may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable. | |
| .003 | DCSync | Threat Actors may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API) to simulate the replication process from a remote domain controller using a technique called DCSync. | |
| .004 | LSA Secrets | Threat Actors with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts. LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. LSA secrets can also be dumped from memory. | |
| .005 | LSASS Memory | Threat Actors may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. | |
| .006 | NTDS | Threat Actors may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller. | |
| .007 | Proc Filesystem |
Threat Actors may gather credentials from the proc filesystem or /proc. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the /proc/ |
|
| .008 | Security Account Manager | Threat Actors may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access. | |
| ATAGS-T1122 | Phishing for credentials | Threat actors may send phishing messages to victims directing them to a spoofed GSaaS login portal (e.g., fake AWS Console or Mission Control login) to capture credentials. | |
| ATAGS-T1123 | Steal Application Access Token | Threat actors can steal application access tokens as a means of acquiring credentials to access remote systems and resources. | |
| ATAGS-T1124 | Steal or Forge Authentication Certificates | Threat actors may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts. | |
| ATAGS-T1125 | Steal Web Session Cookie | Threat actors may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. | |
| ATAGS-T1126 | Unsecured Credentials | Threat actors may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Shell History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys). | |
| .001 | Chat Messages | Threat Actors may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels. | |
| .002 | Cloud Instance Metadata API | Threat Actors may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. | |
| .003 | Container API | Threat Actors may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components. | |
| .004 | Credentials In Files | Threat Actors may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. | |
| .005 | Credentials in Registry | Threat Actors may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Threat Actors may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons. | |
| .006 | Group Policy Preferences | Threat Actors may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. | |
| .007 | Private Keys | Threat Actors may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. | |
| .008 | Shell History | Threat Actors may search the command history on compromised systems for insecurely stored credentials. | |