Credential Access: TA0006
Overview
The Credential Access tactic focuses on how attackers attempt to steal or collect credentials (such as usernames, passwords, access tokens, or cryptographic keys) from compromised systems to gain unauthorized access. In Azure environments, attackers target Entra ID accounts, service principals, OAuth tokens, API keys, and password stores to escalate privileges or maintain persistence.
1. Brute Force (T1110)
Password Guessing (T1110.001)
Example: Attackers manually or programmatically attempt common passwords (e.g.,
Password123,Welcome2023) against an Entra ID user account.Tools: Scripts using Azure CLI with commands like:
Password Cracking (T1110.002)
Example: Attackers use hashed credentials captured from on-premise or cloud systems and crack them offline with tools like hashcat or John the Ripper.
Password Spraying (T1110.003)
Example: Attackers try a common password (e.g.,
Winter2023) across multiple accounts in Entra ID to bypass account lockouts triggered by multiple failed attempts on a single account.Tools: MSOLSpray or custom PowerShell scripts.
Credential Stuffing (T1110.004)
Example: Attackers use previously leaked credentials from other breaches to attempt logins on Entra ID accounts.
Tools: Automated scripts or credential stuffing tools like Sentry MBA.
2. Exploitation for Credential Access (T1212)
Example: Exploiting vulnerabilities in Azure AD Connect or OAuth misconfigurations to extract credentials directly from memory or to gain access tokens.
3. Forge Web Credentials (T1606)
SAML Tokens (T1606.002)
Example: Attackers generate forged SAML tokens using stolen private keys or exploiting vulnerabilities in identity federation setups.
Tools: ADFSpoof to create forged tokens that grant unauthorized access to Azure resources.
4. Modify Authentication Process (T1556)
Multi-Factor Authentication (T1556.004)
Example: Attackers exploit MFA bypass techniques, such as using legacy authentication protocols (e.g., IMAP or SMTP), which do not enforce MFA.
Hybrid Identity (T1556.005)
Example: Exploiting misconfigured Azure AD Connect to sync compromised on-premise credentials to Entra ID, enabling attackers to pivot from on-premise to cloud.
Conditional Access Policies
Example: Attackers exploit weakly configured policies, such as whitelisting of IP ranges or trusted devices, to bypass conditional access restrictions.
Multi-Factor Authentication Request Generation
Example: Using MFA fatigue attacks, attackers repeatedly generate push notifications until the user unintentionally approves the request.
5. Steal Application Access Token (T1528)
Example: Attackers steal OAuth 2.0 tokens from environments like browser storage, CLI tools, or Azure Key Vault to impersonate users or applications.
7. Unsecured Credentials (T1552)
Example: Attackers locate plaintext credentials in Azure resource configurations, scripts, or storage accounts.
Command to Monitor:
Summary of Key Concepts with Techniques and Azure Examples for TA0006
Key Concept
Technique
Azure Example
Stealing Authentication Tokens
T1552 - Unsecured Credentials
Query metadata service for access tokens
Dumping Passwords from Memory
T1003 - OS Credential Dumping
Use Mimikatz on a Windows VM to dump cached credentials
Extracting OAuth Tokens
T1550.001 - Application Access Tokens
Compromise Graph API tokens via phishing
Brute-Forcing Credentials
T1110.003 - Password Spraying
Attempt password spraying on Azure AD accounts
Keylogging and Input Capture
T1056.001 - Keylogging
Deploy keyloggers on compromised VMs
Exploiting Service Principals
T1078 - Valid Accounts
List service principal credentials using Azure CLI
Exfiltrating Secrets from Key Vault
T1555 - Credentials from Password Stores
Extract secrets using compromised service principal keys
Exploiting PRTs for Unauthorized Access
T1550.004 - Web Session Cookie
Extract PRTs using Mimikatz to bypass MFA
Last updated