For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Overview of MITRE ATT&CK Tactic : TA0006-Credential Access

Introduction

In almost every modern cyber intrusion, stolen credentials act as the golden keys that unlock the rest of the network. Once attackers gain access to valid usernames, passwords, or tokens, they can impersonate legitimate users, move laterally, and blend into normal activity, often without triggering traditional security alarms.

Credential Access (MITRE ATT&CK Tactic T006) represents this critical stage of the adversary lifecycle, where the focus shifts from exploiting systems to compromising identities. Instead of brute-forcing their way in, skilled attackers steal the very credentials that defenders rely on to identify trusted users.

For defenders, understanding how credentials are harvested, stored, and abused is essential. This article walks through the most common Credential Access techniques, and how F5 solutions provide strong defense against them.

 

Techniques and Sub-Techniques

 

T1557 - Adversary in the Middle   

Attackers insert themselves between users and legitimate services to intercept or manipulate network traffic. This allows them to capture credentials, replay authentication requests, or redirect victims to malicious systems, often without triggering alerts.

  • T1557.001 - LLMNR / NBT-NS Poisoning & SMB Relay
    Attackers spoof local name resolution requests so victims unknowingly authenticate to them. Captured NTLM hashes can be cracked or relayed to access other systems using valid credentials.

  • T1557.002 - ARP Cache Poisoning
    By sending forged ARP replies, attackers associate their MAC address with another host’s IP, diverting traffic through their device. This enables interception or manipulation of unencrypted data.

  • T1557.003 - DHCP Spoofing
    A rogue DHCP server issues fake network settings, such as a malicious gateway or DNS server, forcing clients to route traffic through the attacker’s system for monitoring or redirection.

  • T1557.004 - Evil Twin
    Attackers set up a fake Wi-Fi access point with a familiar SSID to trick users into connecting. Once connected, the attacker can capture credentials or monitor unsecured network traffic.

T1110 - Brute Force    

Brute-force techniques attempt to gain access by systematically trying credentials or recovering secrets. They range from automated online guessing against live services to offline cracking of stolen hashes. Success often depends on weak passwords, lack of rate-limiting, or reuse of credentials.

  • T1110.001 - Password Guessing
    Automated tools try many username/password combinations directly against an authentication service (e.g., SSH, RDP, web login). Effective when accounts have weak or common passwords and when protections like account lockout or rate-limiting are absent.

  • T1110.002 - Password Cracking
    Attackers work offline against captured password hashes (from dumps or backups) using dictionary, rule-based, or brute-force algorithms to reveal plaintext passwords. This exploits weak hashing, lack of salting, or predictable passwords and scales with the attacker’s compute.

  • T1110.003 - Password Spraying
    Attackers try a small set of common passwords across many accounts to avoid lockouts and evade detection. It targets poor password hygiene at scale and is effective in large user bases where at least some accounts use common passwords.

  • T1110.004 - Credential Stuffing
    Attackers replay credentials obtained from previous breaches against other sites and services, relying on password reuse. Highly automated and effective when users reuse passwords across corporate and consumer services.

T1555 - Credentials from Password Stores       

Attackers target stored credentials in OS-level stores, browsers, password managers, and cloud secret stores to obtain usable secrets without guessing or cracking. These stores centralize access credentials, so compromising them yields high-value secrets for lateral movement and persistence.

  • T1555.001 - Keychain
    The macOS Keychain holds passwords, certificates, and keys accessible to authorized apps or unlocked user sessions. Attackers that gain local access or escalate privileges can extract items from the Keychain when it’s unlocked or by abusing APIs.

  • T1555.002 - Securityd Memory
    On Apple platforms, securityd manages key material and can expose secrets in memory or via IPC if abused. Memory inspection or malicious processes invoking privileged APIs can reveal credentials held transiently by securityd.

  • T1555.003 - Credentials from Web Browsers
    Browsers store passwords, session cookies, and autofill data accessible to local processes or via browser APIs. Extracting browser stores or abusing extensions gives attackers direct access to website credentials and active sessions.

  • T1555.004 - Windows Credential Manager
    Windows Credential Manager stores web and Windows credentials (including domain and service account entries) and can be read by attackers with local access or elevated rights. Tools that read Vault or credential store contents can harvest stored secrets when protections are weak.

  • T1555.005 - Password Managers

    Third-party password managers (local or cloud-backed) centralize many credentials behind a master password. If the master secret is compromised, or if the manager’s local data is exfiltrated and brute-forced, attackers gain access to all stored credentials.

  • T1555.006 - Cloud Secrets Management Stores

    Cloud secret stores (e.g., AWS Secrets Manager, Azure Key Vault) centralize API keys, DB credentials, and certificates for applications. Misconfigured access controls or stolen cloud credentials allow attackers to read secrets programmatically and pivot into cloud workloads.

T1212 - Exploitation for Credential Access      

Exploitation for Credential Access uses software vulnerabilities to cause systems or users to reveal credentials or authentication material. Rather than guessing or stealing stored secrets, attackers exploit flaws (server or client) to trigger authentication flows, dump memory, or escalate privileges that expose credentials.

T1187 - Forced Authentication     

Forced Authentication coerces a target system or user into authenticating to an attacker-controlled endpoint, allowing the attacker to capture authentication material (NTLM hashes, Kerberos tickets, tokens) or relay them elsewhere. This method often requires no initial privileged access and leverages normal authentication mechanisms.

T1606 - Forge Web Credentials     

Forging web credentials involves creating or tampering with authentication artifacts (cookies, tokens) so an attacker can impersonate users or bypass authentication controls. These techniques target web session mechanics and federation tokens rather than stealing passwords directly, and they enable access to web applications, APIs, and SSO-protected resources.

  • T1606.001 - Web Cookies

    Attackers forge or modify session cookies (or reuse stolen cookies) to assume a user’s authenticated session. This can be done by predicting weak cookie values, manipulating insecure cookie attributes (missing HttpOnly/Secure/SameSite), or forging cookies for applications that validate them poorly; once accepted by the server, the forged cookie grants unauthorized access until invalidated.

  • T1606.002 - SAML Tokens

    Attackers craft or replay SAML assertions or manipulate the SAML authentication flow to present valid-looking tokens to service providers. Exploitation paths include abusing weak signature validation, replaying intercepted assertions, or forging attributes in unsigned/encrypted assertions - allowing impersonation in SSO environments until tokens are revoked or validation is corrected.

T1056 - Input Capture 

Input capture techniques record user input or intercept credential entry points to collect passwords, PINs, or other secrets. Attackers use software or hardware methods to capture keystrokes, GUI input, browser form data, or hook APIs that deliver credentials to legitimate applications.

  • T1056.001 - Keylogging

    Malware records keystrokes (system-wide or target-process specific) to capture typed credentials and sensitive text. Logs are stored locally or exfiltrated; attackers may combine keylogs with clipboard or screenshot captures to increase context.

  • T1056.002 - GUI Input Capture

    Tools capture GUI inputs by intercepting window messages, monitoring focused fields, or taking targeted screenshots while users enter credentials. This lets attackers harvest credentials from password dialogs, apps, or remote desktop sessions—even when keystroke capture is limited.

  • T1056.003 - Web Portal Capture

    Adversaries inject scripts, malicious browser extensions, or use proxy/MITM techniques to capture form submissions and session data from web login portals. This directly yields usernames, passwords, and session tokens without needing a local host compromise in some scenarios.

  • T1056.004 - Credential API Hooking

    Attackers hook OS or application credential APIs (e.g., browser autofill, authentication libraries) to intercept secrets passed between apps and credential stores. By intercepting these programmatic flows, attackers can obtain credentials or tokens that are never typed by the user.

T1556 - Modify Authentication Process   

In Modify Authentication Process attacks, adversaries change how authentication works to bypass controls, capture credentials, or enable unauthorized access. These techniques target authentication components (OS, domain, network devices, cloud identity) so that normal verification is weakened, subverted, or redirected.

  • T1556.001 - Domain Controller Authentication

    Attackers tamper with authentication flows on domain controllers (or their supporting services) to intercept, alter, or bypass domain authentication—for example by modifying authentication plugins, services, or components that validate credentials. Compromise here yields a broad ability to impersonate users or persist as trusted identities.

  • T1556.002 - Password Filter DLL
    On Windows, password filter DLLs run during password set/change operations; malicious or modified filters can exfiltrate plaintext passwords or accept weak/forged passwords. Subverting this component lets attackers capture credentials at creation time or allow unauthorized passwords to be accepted.

  • T1556.003 - Pluggable Authentication Modules (PAM)
    On Unix/Linux, PAM controls local and network authentication. Malicious or misconfigured PAM modules can log credentials, bypass policies, or allow alternate authentication paths, enabling attackers to capture passwords or escalate access silently.

  • T1556.004 - Network Device Authentication
    Attackers alter authentication mechanisms on routers, switches, or firewalls (local auth, RADIUS/TACACS integrations, certificate validation) to create backdoors or accept forged credentials. Control of device auth can provide persistent network-level access and visibility.

  • T1556.005 - Reversible Encryption
    Some systems store passwords using reversible encryption so they can be recovered—if attackers access the encryption keys or the code that performs reversible transforms, they can obtain plaintext credentials. Targeting these systems yields direct access to stored secrets rather than hashes.

  • T1556.006 - Multi-Factor Authentication
    Adversaries target MFA flows or enrollment processes (bypassing prompts, intercepting tokens, abusing backup/legacy factors) to defeat strong authentication. Weaknesses in how MFA is implemented or enrolled can allow attackers to present valid-looking authentication without the genuine second factor.

  • T1556.007 - Hybrid Identity

    Hybrid identity (on-prem AD + cloud identity) introduces sync and federation components that, if tampered with, let attackers bridge on-prem and cloud accounts or forge validation tokens. Compromises in sync/federation services can escalate an on-prem foothold into cloud-wide access.

  • T1556.008 - Network Provider DLL

    Windows network provider DLLs mediate network authentication and resource access; malicious providers can intercept credentials or reroute authentication requests to attacker-controlled endpoints. Replacing or hooking these DLLs enables broad interception of network auth flows.

  • T1556.009 - Conditional Access Policies

    Altering conditional access or policy evaluation (cloud or on-prem) can reduce enforcement (bypass location/device checks, disable step-up prompts) so attackers authenticate from unexpected contexts. Manipulating these policies undermines risk-based defenses that would otherwise block suspicious logins.

T1111 - Multi-Factor Authentication Interception     

Attackers intercept or capture second-factor credentials or approval flows so possession checks (SMS codes, OTPs, push approvals) can be replayed or abused. This yields account access even when primary credentials are protected by the MFA.

T1621 - Multi-Factor Authentication Request Generation 

Adversaries force MFA prompts or generate authentication challenges to coerce users into approving logins (prompt-bombing) or to obtain one-time factors. Rather than cracking credentials, attackers rely on human behavior or automatic flows to gain approval.

T1040 - Network Sniffing     

Network sniffing captures network traffic to collect credentials, tokens, cookies, or other sensitive data transmitted in plaintext or weakly protected streams. Sniffing can be passive (listening) or enabled by active techniques that redirect traffic through the attacker.

T1003 - OS Credential Dumping   

OS credential dumping extracts authentication material from operating systems to obtain hashes, plaintext passwords, or tokens that enable lateral movement and privilege escalation. Techniques target in-memory processes, system stores, directory databases, and OS files to retrieve reusable secrets.

  • T1003.001 - LSASS Memory

    Attackers read lsass.exe memory to extract plaintext credentials, NTLM hashes, and Kerberos tickets. Tools or injected code dump LSASS memory for offline extraction or immediate reuse.

  • T1003.002 - Security Account Manager (SAM)
    The SAM database stores local account hashes on Windows systems. Attackers with local or SYSTEM-level access copy or parse the SAM (and its associated SYSTEM hive) to obtain password hashes for cracking or pass-the-hash use.

  • T1003.003 - NTDS
    The Active Directory database (ntds.dit) contains domain account hashes and metadata. Obtaining a copy of ntds.dit (often from a DC) allows bulk extraction of credentials for domain-wide compromise.

  • T1003.004 - LSA Secrets
    LSA Secrets in the registry store sensitive values (service account passwords, stored credentials). Reading LSA Secrets yields plaintext or recoverable secrets used by services and scheduled tasks.

  • T1003.005 - Cached Domain Credentials
    Windows caches domain credentials locally to allow logon when domain controllers are unavailable. Attackers extract cached credentials from the registry or files to authenticate offline or pivot.

  • T1003.006 - DCSync
    Using domain replication APIs, attackers impersonate a domain controller to request user password hashes and replication data from a real DC. DCSync provides direct access to domain credential material without copying ntds.dit.

  • T1003.007 - Proc Filesystem
    On Unix-like systems, /proc exposes process memory and credentials for running processes. Attackers read /proc/<pid>/mem or related entries to extract secrets from privileged processes.

  • T1003.008 - /etc/passwd and /etc/shadow
    Traditional Unix credential stores keep user account data in /etc/passwd (public) and hashed passwords in /etc/shadow. Accessing /etc/shadow or backup copies lets attackers perform offline cracking against hashed passwords.

T1528 - Steal Application Access Token  

Attackers obtain application access tokens (OAuth tokens, API keys, JWTs, refresh tokens) to impersonate apps or users and call APIs without needing passwords. Tokens are often long-lived or scoped widely, so stealing them grants immediate API access or persistence until revoked.

T1649 - Steal or Forge Authentication Certificates    

Attackers steal private keys or create forged certificates to impersonate services, sign malware, or enable persistent, trusted access across networks and systems. Valid certificates let attackers bypass encryption-based protections and appear legitimate to clients’ infrastructure.

T1539 - Steal Web Session Cookie 

Session cookies grant an active authenticated session - stealing them lets an attacker impersonate a user without knowing their password. Attack vectors range from client-side exploits and network interception to server- or app-level flaws that expose tokens. Common methods include Cross-Site Scripting (XSS), Network interception/MITM, Malicious extensions / compromised browser storage, Session fixation / replay, Server-side exposure

T1552 - Unsecured Credentials      

Unsecured credentials are secrets left in places where they can be discovered and reused - files, registries, history logs, keys, cloud metadata, or chat messages. Attackers who find these artifacts gain immediate access to accounts, services, or infrastructure without needing to brute-force or exploit auth flows.

  • T1552.001 - Credentials in Files
    Plaintext credentials, config files, or scripts often contain hardcoded usernames and passwords. These files are easy to exfiltrate from repositories, backups, or deployed systems and provide immediate access when discovered.

  • T1552.002 - Credentials in Registry
    Applications and installers sometimes persist secrets in registry keys (Windows) where they remain readable by local processes or users with elevated rights. Attackers who access the registry can harvest service accounts, tokens, or stored credentials.

  • T1552.003 - Bash History
    Shell history files (e.g., ~/.bash_history) can contain typed passwords, tokens, or commands with secrets. They’re a low-effort source of credentials on compromised Unix-like hosts.

  • T1552.004 - Private Keys
    Unprotected private keys (SSH, TLS, code-signing) allow attackers to impersonate services or authenticate to systems without passwords. Keys stored without passphrases or left in world-readable locations are high-value targets.

  • T1552.005 - Cloud Instance Metadata API
    Cloud metadata endpoints expose temporary credentials or IAM tokens to the instance; if reachable by an attacker (misconfigured container, SSRF, or compromised process); they enable programmatic cloud access. These tokens are often scoped broadly and remain valid until rotated.

  • T1552.006 - Group Policy Preferences
    GPP historically stored domain credentials (e.g., cpassword) in AD GPO XML files; poorly secured or legacy GPP entries leak reversible secrets. Attackers can retrieve and decrypt these values to obtain domain or service credentials.

  • T1552.007 - Container API
    Container runtimes and orchestration APIs may expose secrets or mount host credentials into containers (service account tokens, kubelet access). Compromised containers can therefore be a pivot to cluster-level credentials or host secrets.

  • T1552.008 - Chat Messages
    Users sometimes share credentials over chat or collaboration tools (private messages, channels, tickets). These conversational artifacts are searchable and often overlooked during credential hygiene reviews, making them useful for attackers.

How F5 Can Help

F5 solutions protect against credential theft and abuse by enforcing strong authentication, access controls, and traffic inspection:

  • Access Policy Enforcement: F5 BIG-IP APM can enforce MFA, IP reputation checks, and adaptive access policies to prevent unauthorized logins.
  • Secure Proxying & SSL/TLS Inspection: F5 can terminate, inspect, and re-encrypt traffic, detecting malicious payloads or anomalous sessions targeting authentication flows.
  • Rate-Limiting & Bot Protection: Brute-force, credential stuffing, and session attacks can be mitigated with configurable thresholds and automated bot protection.
  • Centralized Visibility & Logging: Detailed telemetry enables detection of abnormal authentication patterns, suspicious session reuse, or lateral movement attempts.

For more information, please contact your local F5 sales team.

Conclusion

Credential access is a critical phase in the attacker lifecycle, enabling lateral movement, privilege escalation, and persistent access. Understanding common techniques from brute force and token theft to input capture and exploitation of authentication processes allows defenders to prioritize controls, monitor high-risk behaviors, and respond quickly. Strong credential hygiene, multifactor authentication, and careful monitoring of authentication flows are essential to reducing exposure and limiting the impact of compromise.

Reference links

Published Dec 10, 2025
Version 1.0
advanced waf
advanced-waf
BIG-IP
cloud
Distributed Cloud
MITRE
NGINX App Protect
Verified Designs
No CommentsBe the first to comment