Home
ATT&CK Techniques
T1212 Exploitation for Credential Access

T1212 Exploitation for Credential Access Mappings

Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.

View in MITRE ATT&CK®

Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
AC-2	Account Management	Protects	T1212	Exploitation for Credential Access
AC-4	Information Flow Enforcement	Protects	T1212	Exploitation for Credential Access
AC-6	Least Privilege	Protects	T1212	Exploitation for Credential Access
CA-7	Continuous Monitoring	Protects	T1212	Exploitation for Credential Access
CA-8	Penetration Testing	Protects	T1212	Exploitation for Credential Access
CM-2	Baseline Configuration	Protects	T1212	Exploitation for Credential Access
CM-6	Configuration Settings	Protects	T1212	Exploitation for Credential Access
CM-8	System Component Inventory	Protects	T1212	Exploitation for Credential Access
RA-10	Threat Hunting	Protects	T1212	Exploitation for Credential Access
RA-5	Vulnerability Monitoring and Scanning	Protects	T1212	Exploitation for Credential Access
SC-18	Mobile Code	Protects	T1212	Exploitation for Credential Access
SC-2	Separation of System and User Functionality	Protects	T1212	Exploitation for Credential Access
SC-26	Decoys	Protects	T1212	Exploitation for Credential Access
SC-29	Heterogeneity	Protects	T1212	Exploitation for Credential Access
SC-3	Security Function Isolation	Protects	T1212	Exploitation for Credential Access
SC-30	Concealment and Misdirection	Protects	T1212	Exploitation for Credential Access
SC-35	External Malicious Code Identification	Protects	T1212	Exploitation for Credential Access
SC-39	Process Isolation	Protects	T1212	Exploitation for Credential Access
SC-7	Boundary Protection	Protects	T1212	Exploitation for Credential Access
SI-2	Flaw Remediation	Protects	T1212	Exploitation for Credential Access
SI-3	Malicious Code Protection	Protects	T1212	Exploitation for Credential Access
SI-4	System Monitoring	Protects	T1212	Exploitation for Credential Access
SI-5	Security Alerts, Advisories, and Directives	Protects	T1212	Exploitation for Credential Access
SI-7	Software, Firmware, and Information Integrity	Protects	T1212	Exploitation for Credential Access
alerts_for_windows_machines	Alerts for Windows Machines	technique_scores	T1212	Exploitation for Credential Access	Comments This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed". References https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows
azure_automation_update_management	Azure Automation Update Management	technique_scores	T1212	Exploitation for Credential Access	Comments This control provides significant coverage of credential access techniques that leverage unpatched software vulnerabilities since it enables automated updates of software and rapid configuration change management. References https://docs.microsoft.com/en-us/azure/automation/update-management/overview
azure_policy	Azure Policy	technique_scores	T1212	Exploitation for Credential Access	Comments This control may provide recommendations for vulnerability assessment and outdated applications and cloud services. This control covers a wide range of Azure cloud services to help reduce the surface area for exploitation. References https://docs.microsoft.com/en-us/azure/governance/policy/overview https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir
azure_defender_for_app_service	Azure Defender for App Service	technique_scores	T1212	Exploitation for Credential Access	Comments This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. References https://docs.microsoft.com/en-us/azure/security-center/alerts-reference https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction https://azure.microsoft.com/en-us/services/app-service/ https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction
integrated_vulnerability_scanner_powered_by_qualys	Integrated Vulnerability Scanner Powered by Qualys	technique_scores	T1212	Exploitation for Credential Access	Comments Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial. References https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm