Threat actors may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Threat actors may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.