T1589.001 Credentials Mappings

Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.

Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via Phishing for Information. Adversaries may also compromise sites then include malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: Search Engines, breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Compromise Accounts), and/or initial access (ex: External Remote Services or Valid Accounts).

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1589.001 Gather Victim Identity Information: Credentials
value_chain.targeting.variety.Lost or stolen credentials lost or stolen credentials, including credental stuffing, used to pick an organization as a target related-to T1589.001 Gather Victim Identity Information: Credentials
value_chain.targeting.variety.Personal Information Information on individuals such as title, interests, physical location, etc, used to pick an organization as a target related-to T1589.001 Gather Victim Identity Information: Credentials
aws_security_hub AWS Security Hub technique_scores T1589.001 Credentials