T1212 Exploitation for Credential Access Mappings

Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1212 Exploitation for Credential Access
AC-4 Information Flow Enforcement Protects T1212 Exploitation for Credential Access
AC-6 Least Privilege Protects T1212 Exploitation for Credential Access
CA-7 Continuous Monitoring Protects T1212 Exploitation for Credential Access
CA-8 Penetration Testing Protects T1212 Exploitation for Credential Access
CM-2 Baseline Configuration Protects T1212 Exploitation for Credential Access
CM-6 Configuration Settings Protects T1212 Exploitation for Credential Access
CM-8 System Component Inventory Protects T1212 Exploitation for Credential Access
RA-10 Threat Hunting Protects T1212 Exploitation for Credential Access
RA-5 Vulnerability Monitoring and Scanning Protects T1212 Exploitation for Credential Access
SC-18 Mobile Code Protects T1212 Exploitation for Credential Access
SC-2 Separation of System and User Functionality Protects T1212 Exploitation for Credential Access
SC-26 Decoys Protects T1212 Exploitation for Credential Access
SC-29 Heterogeneity Protects T1212 Exploitation for Credential Access
SC-3 Security Function Isolation Protects T1212 Exploitation for Credential Access
SC-30 Concealment and Misdirection Protects T1212 Exploitation for Credential Access
SC-35 External Malicious Code Identification Protects T1212 Exploitation for Credential Access
SC-39 Process Isolation Protects T1212 Exploitation for Credential Access
SC-7 Boundary Protection Protects T1212 Exploitation for Credential Access
SI-2 Flaw Remediation Protects T1212 Exploitation for Credential Access
SI-3 Malicious Code Protection Protects T1212 Exploitation for Credential Access
SI-4 System Monitoring Protects T1212 Exploitation for Credential Access
SI-5 Security Alerts, Advisories, and Directives Protects T1212 Exploitation for Credential Access
SI-7 Software, Firmware, and Information Integrity Protects T1212 Exploitation for Credential Access
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1212 Exploitation for Credential Access
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1212 Exploitation for Credential Access
action.hacking.variety.Session fixation Session fixation. Child of 'Exploit vuln'. related-to T1212 Exploitation for Credential Access
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1212 Exploitation for Credential Access
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1212 Exploitation for Credential Access
action.malware.vector.Web application - drive-by Web via auto-executed or "drive-by" infection. Child of 'Web application'. related-to T1212 Exploitation for Credential Access
attribute.confidentiality.data_disclosure related-to T1212 Exploitation for Credential Access