8. Credential Access
Credential Access (TA0006)
Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.
Strategy
- Dump: Pull hashes from memory/disk.
- Sniff: Catch hashes off the wire (LLMNR Poisoning).
- Find: Look for 'password.txt' on the desktop.
Section Contents
-
Credentials from Password Stores
Decrypting passwords stored in Web Browsers, Password Managers, and Windows Vault.
-
Forced Authentication
Forcing a system to authenticate to an adversary-controlled server to steal hashes.
-
Kerberos Attacks
Abusing the Kerberos authentication protocol to steal credentials and forge tickets.
-
OS Credential Dumping
Extracting credentials from the operating system's memory (LSASS) or database (NTDS.dit).
-
Unsecured Credentials
Finding credentials stored insecurely in files, registry, or group policy.
