T1589.001 Credentials Mappings

Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.

Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via Phishing for Information. Adversaries may also compromise sites then add malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) (Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Where multi-factor authentication (MFA) based on out-of-band communications is in use, adversaries may compromise a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)

Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: Search Engines, breach dumps, code repositories, etc.). Adversaries may purchase credentials from dark web markets, such as Russian Market and 2easy, or through access to Telegram channels that distribute logs from infostealer malware.(Citation: Bleeping Computer 2easy 2021)(Citation: SecureWorks Infostealers 2023)(Citation: Bleeping Computer Stealer Logs 2023)

Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Compromise Accounts), and/or initial access (ex: External Remote Services or Valid Accounts).

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Scan network Enumerating the state of the network related-to T1589.001 Gather Victim Identity Information: Credentials

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
aws_network_firewall AWS Network Firewall technique_scores T1589.001 Credentials
Comments
AWS Network Firewall inspects inbound traffic flows and provides outbound traffic filtering. The capability has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. It is given a score of Minimal because much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
References
aws_security_hub AWS Security Hub technique_scores T1589.001 Credentials
Comments
AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. S3 buckets with public write or read permissions S3 buckets with sensitive data This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting.
References