Credential Access Techniques Comprehensive Guide
Comprehensive analysis of credential theft techniques across MITRE ATT&CK credential access tactic.
Continue your mission
Comprehensive analysis of credential theft techniques across MITRE ATT&CK credential access tactic.
# Credential Access Techniques Comprehensive Guide
Credential access is the set of techniques adversaries use to steal usernames, passwords, cryptographic hashes, authentication tokens, and session material from a compromised environment. It exists because authentication is the primary boundary between an attacker with a foothold and an attacker with unrestricted access. Without valid credentials, post-exploitation activity is slow, noisy, and limited in scope. With them, an adversary moves laterally at machine speed, blends into normal user behavior, and may persist for months before detection. Understanding the full spectrum of credential access, from memory scraping to cloud token theft, is the foundation of both effective detection engineering and identity-focused defensive architecture.
---
Credential access, as defined within MITRE ATT&CK Tactic TA0006, refers to the collection of techniques an adversary uses to obtain account credentials, authentication material, or session tokens. This includes passwords in plaintext or hashed form, Kerberos tickets, OAuth tokens, SAML assertions, API keys, private certificates, and session cookies. The defining characteristic is that the material collected can be used to authenticate as a legitimate user or service, either immediately or after offline processing such as hash cracking.
Credential access is distinct from initial access and privilege escalation, though it frequently enables both. Initial access establishes a presence on a system; credential access extracts material that extends that presence to other systems and accounts. Privilege escalation elevates permissions on the current system; credential access may allow impersonation of a higher-privileged account elsewhere without exploiting any local vulnerability.
Credential access is also distinct from account takeover at the business logic layer. Phishing-driven credential theft, where a user types a password into a fake portal, falls under initial access rather than TA0006. The TA0006 techniques focus on programmatic extraction from running processes, stored files, authentication infrastructure, and identity provider systems.
Variants within scope include:
---
The most well-documented credential access path targets the Windows Local Security Authority Subsystem Service (LSASS). LSASS holds credential material in memory to support single sign-on and Kerberos authentication. Adversaries access this material through direct process memory reading, using tools such as Mimikatz or through the legitimate Windows component comsvcs.dll with the MiniDump export. The resulting dump file contains NTLM hashes, plaintext passwords cached via WDigest (on older or misconfigured systems), and Kerberos ticket-granting tickets.
The Security Account Manager (SAM) database stores hashed local account credentials. It is inaccessible while Windows is running under normal conditions, but can be extracted by copying the SAM, SYSTEM, and SECURITY registry hives via Volume Shadow Copy or through tools running with SYSTEM-level privileges. These hashes can then be cracked offline or used directly in pass-the-hash attacks.
The most impactful OS-layer technique is NTDS.dit extraction. This file, held on every Active Directory domain controller, contains the hashed credentials for every domain account. Adversaries may copy it through VSS, via ntdsutil, or through the DCSync technique, which uses legitimate Active Directory replication protocol calls to pull password data from a DC without ever touching the disk. DCSync requires only that the attacker controls an account with Replicating Directory Changes All permissions, which is obtainable through various privilege escalation paths.
Concrete Scenario: An adversary gains code execution on a domain-joined server through a web application vulnerability. They escalate to SYSTEM, then use a Mimikatz variant to read LSASS memory and extract the NTLM hash of a domain administrator who recently authenticated to that server. With that hash, they authenticate to the domain controller via pass-the-hash, dump NTDS.dit using ntdsutil, and now hold hashes for all 4,000 domain accounts. Total elapsed time from initial dump to full domain compromise: under 20 minutes.
Modern endpoints store credential material in dozens of locations outside the OS credential subsystem. Web browsers maintain encrypted credential stores that can be decrypted using the same user account context that runs the browser. An adversary running as the target user can call the Data Protection API (DPAPI) to decrypt Chrome, Firefox, or Edge stored passwords without any special privilege. Over 40 browser families have known extraction paths.
Password managers present a high-value target. Master passwords or unlocked vault data in memory may be accessible during active sessions. Some password manager implementations store vault data in locations readable by low-privileged code.
Scripts, configuration files, and infrastructure-as-code repositories frequently contain hardcoded credentials. Group Policy Preferences historically stored encrypted local account passwords using a key published by Microsoft, making any domain-joined user capable of decrypting GPP-stored credentials. Cloud instance metadata services, accessible at 169.254.169.254 on AWS and equivalent endpoints on other platforms, return temporary IAM credentials to any process running on the instance. An adversary with command execution on an EC2 instance can retrieve high-privilege cloud credentials within a single HTTP request.
Kerberos-based attacks target the ticket infrastructure rather than passwords directly. Kerberoasting requests service tickets for accounts with Service Principal Names (SPNs) registered against Active Directory. These tickets are encrypted with the service account's password hash and can be requested by any authenticated domain user. The attacker exports the ticket and cracks it offline. Service accounts are frequently configured with long-standing, complex passwords that are nonetheless crackable with GPU-accelerated tools over days or weeks.
Golden Ticket attacks require the NTLM hash of the krbtgt account, obtained via NTDS.dit extraction or DCSync. With it, an adversary can forge arbitrary Ticket Granting Tickets with any privileges, valid for any duration, and the resulting access persists even after password resets of individual accounts until the krbtgt password is reset twice.
In cloud environments, OAuth and SAML tokens represent the equivalent of Kerberos tickets. Adversaries target token storage in browser local storage, application memory, CI/CD environment variables, and identity provider configuration. SAML assertion forgery, demonstrated in the SolarWinds-related intrusions, requires the private key of the identity provider signing certificate. Once obtained, an adversary can generate authentication assertions for any user in the federated environment without those users' passwords.
---
The business impact of credential access is frequently underestimated until after a significant incident. Credentials are the mechanism by which an adversary transforms a limited technical foothold into an enterprise-wide compromise. Detection and response teams consistently report that credential theft is the inflection point at which a containable incident becomes a catastrophic breach.
The 2020 SolarWinds intrusion illustrates the scale of what credential access enables at the identity layer. The adversaries, assessed to be SVR-linked actors, compromised the SAML signing certificate of on-premises Active Directory Federation Services deployments. This allowed them to forge authentication tokens for cloud-hosted Microsoft 365 environments without triggering password-based controls or MFA. The credential material in this case was not a password but a cryptographic key, and its theft was invisible to traditional credential monitoring tools focused on password-based authentication events.
A common misconception is that multi-factor authentication (MFA) eliminates credential access risk. MFA eliminates password reuse and phishing risks effectively, but does not protect against token theft post-authentication. An adversary who steals a valid session cookie, an OAuth access token, or a SAML assertion after MFA has already been satisfied can authenticate without any MFA challenge. Pass-the-hash attacks similarly bypass MFA because they operate at the NTLM protocol layer, not the application layer where MFA is enforced.
A second misconception is that endpoint detection and response (EDR) tools provide complete coverage. EDR visibility into LSASS access has improved substantially, but cloud credential theft, GPP password extraction, and CI/CD pipeline credential exposure typically occur in contexts where EDR telemetry is absent or limited.
Organizations without systematic credential access monitoring face specific consequences: undetected lateral movement for extended dwell times, ransomware operators who deploy payloads domain-wide because they hold domain administrator credentials, and cloud environment takeovers that result in data exfiltration and resource abuse.
---
CDA approaches credential access through the Planetary Defense Model (PDM), operating primarily across the Threat Intelligence Domain (TID) and the Identity and Access Threat (IAT) domain. The governing methodology is Predictive Defense Intelligence (PDI): see the threat before it sees you. This means building detection and defensive capability against credential access techniques before those techniques are observed in the specific environment, based on threat actor profiling, technique frequency analysis, and systematic control gap identification.
Within TID, CDA analysts map adversary groups relevant to a client sector to their documented credential access technique preferences. A financial sector client faces different prioritization than a defense industrial base client. APT29 prioritizes SAML token abuse and cloud credential theft; ransomware operators prioritize LSASS dumping and SAM extraction for rapid lateral movement. Technique prioritization is intelligence-driven, not compliance-driven.
The IAT domain addresses the identity infrastructure controls that reduce credential access success rates and increase detection fidelity. CDA's TOP missions IAT-R01 through IAT-R06 provide sequential implementation guidance covering Credential Guard deployment, LSASS protection via RunAsPPL, Kerberos encryption baseline enforcement, cloud identity hygiene, and honeytoken deployment. Each mission includes specific detection logic tied to the technique it mitigates, ensuring that control deployment and detection engineering advance together rather than independently.
What CDA does differently is treat credential access as an ongoing intelligence problem rather than a one-time hardening exercise. Credential access techniques evolve as defensive controls improve. The shift from LSASS memory reading to DCSync, and from DCSync to SAML token forgery, reflects adversary adaptation to deployed defenses. CDA's PDI methodology tracks these shifts and updates both detection rules and control priorities accordingly, on a continuous cycle rather than an annual assessment cadence.
---
---
---
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by CDA Editorial
Found an issue? Help improve this article.