T1212 Exploitation for Credential Access Mappings

Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1212 Exploitation for Credential Access
AC-4 Information Flow Enforcement Protects T1212 Exploitation for Credential Access
AC-6 Least Privilege Protects T1212 Exploitation for Credential Access
CA-7 Continuous Monitoring Protects T1212 Exploitation for Credential Access
CA-8 Penetration Testing Protects T1212 Exploitation for Credential Access
CM-2 Baseline Configuration Protects T1212 Exploitation for Credential Access
CM-6 Configuration Settings Protects T1212 Exploitation for Credential Access
CM-8 System Component Inventory Protects T1212 Exploitation for Credential Access
RA-10 Threat Hunting Protects T1212 Exploitation for Credential Access
RA-5 Vulnerability Monitoring and Scanning Protects T1212 Exploitation for Credential Access
SC-18 Mobile Code Protects T1212 Exploitation for Credential Access
SC-2 Separation of System and User Functionality Protects T1212 Exploitation for Credential Access
SC-26 Decoys Protects T1212 Exploitation for Credential Access
SC-29 Heterogeneity Protects T1212 Exploitation for Credential Access
SC-3 Security Function Isolation Protects T1212 Exploitation for Credential Access
SC-30 Concealment and Misdirection Protects T1212 Exploitation for Credential Access
SC-35 External Malicious Code Identification Protects T1212 Exploitation for Credential Access
SC-39 Process Isolation Protects T1212 Exploitation for Credential Access
SC-7 Boundary Protection Protects T1212 Exploitation for Credential Access
SI-2 Flaw Remediation Protects T1212 Exploitation for Credential Access
SI-3 Malicious Code Protection Protects T1212 Exploitation for Credential Access
SI-4 System Monitoring Protects T1212 Exploitation for Credential Access
SI-5 Security Alerts, Advisories, and Directives Protects T1212 Exploitation for Credential Access
SI-7 Software, Firmware, and Information Integrity Protects T1212 Exploitation for Credential Access
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1212 Exploitation for Credential Access
azure_automation_update_management Azure Automation Update Management technique_scores T1212 Exploitation for Credential Access
azure_policy Azure Policy technique_scores T1212 Exploitation for Credential Access
azure_defender_for_app_service Azure Defender for App Service technique_scores T1212 Exploitation for Credential Access
integrated_vulnerability_scanner_powered_by_qualys Integrated Vulnerability Scanner Powered by Qualys technique_scores T1212 Exploitation for Credential Access