Trusted Design戦術「Credential Access」に関連する攻撃手法(Technique)の一覧です。
| Technique ID | Name | Description |
|---|---|---|
| T1003 | OS Credential Dumping | Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a h… |
| T1003.001 | LSASS Memory | Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsy… |
| T1003.002 | Security Account Manager | Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through i… |
| T1003.003 | NTDS | Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential … |
| T1003.004 | LSA Secrets | Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain… |
| T1003.005 | Cached Domain Credentials | Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain … |
| T1003.006 | DCSync | Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's a… |
| T1003.007 | Proc Filesystem | Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used … |
| T1003.008 | /etc/passwd and /etc/shadow | Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline … |
| T1040 | Network Sniffing | Adversaries may passively sniff network traffic to capture information about an environment, including authentication ma… |
| T1081 | Credentials in Files | Adversaries may search local file systems and remote file shares for files containing passwords. These can be files crea… |
| T1110 | Brute Force | Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes… |
| T1110.001 | Password Guessing | Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to at… |
| T1110.002 | Password Cracking | Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when creden… |
| T1110.003 | Password Spraying | Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acqu… |
| T1110.004 | Credential Stuffing | Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts throu… |
| T1111 | Multi-Factor Authentication Interception | Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain… |
| T1139 | Bash History | Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the hi… |
| T1141 | Input Prompt | When programs are executed that need additional privileges than are present in the current user context, it is common fo… |
| T1142 | Keychain | Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and feature… |
| T1145 | Private Keys | Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. … |
| T1167 | Securityd Memory | In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because App… |
| T1171 | LLMNR/NBT-NS Poisoning and Relay | Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that ser… |
| T1174 | Password Filter DLL | Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are impl… |
| T1187 | Forced Authentication | Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication informa… |
| T1208 | Kerberoasting | Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authenticatio… |
| T1212 | Exploitation for Credential Access | Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulner… |
| T1214 | Credentials in Registry | The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may … |
| T1503 | Credentials from Web Browsers | Adversaries may acquire credentials from web browsers by reading files specific to the target browser. (Citation: Talos… |
| T1522 | Cloud Instance Metadata API | Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Most… |
| T1528 | Steal Application Access Token | Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resourc… |
| T1539 | Steal Web Session Cookie | An adversary may steal web application or service session cookies and use them to gain access to web applications or Int… |
| T1552 | Unsecured Credentials | Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be st… |
| T1552.001 | Credentials In Files | Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. The… |
| T1552.002 | Credentials in Registry | Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry store… |
| T1552.003 | Shell History | Adversaries may search the command history on compromised systems for insecurely stored credentials. On Linux and macOS… |
| T1552.004 | Private Keys | Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Priva… |
| T1552.005 | Cloud Instance Metadata API | Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Most… |
| T1552.006 | Group Policy Preferences | Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow admini… |
| T1552.007 | Container API | Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Doc… |
| T1552.008 | Chat Messages | Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials… |
| T1555 | Credentials from Password Stores | Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) P… |
| T1555.001 | Keychain | Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management sy… |
| T1555.002 | Securityd Memory | An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon re… |
| T1555.003 | Credentials from Web Browsers | Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos O… |
| T1555.004 | Windows Credential Manager | Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for s… |
| T1555.005 | Password Managers | Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 201… |
| T1555.006 | Cloud Secrets Management Stores | Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secre… |
| T1557 | Adversary-in-the-Middle | Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (A… |
| T1557.001 | Name Resolution Poisoning and SMB Relay | By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to… |
| T1557.002 | ARP Cache Poisoning | Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two … |
| T1557.003 | DHCP Spoofing | Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHC… |
| T1557.004 | Evil Twin | Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a w… |
| T1558 | Steal or Forge Kerberos Tickets | Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the T… |
| T1558.001 | Golden Ticket | Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a … |
| T1558.002 | Silver Ticket | Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket gr… |
| T1558.003 | Kerberoasting | Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting… |
| T1558.004 | AS-REP Roasting | Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](http… |
| T1558.005 | Ccache Files | Adversaries may attempt to steal Kerberos tickets stored in credential cache files (or ccache). These files are used fo… |
| T1606 | Forge Web Credentials | Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web… |
| T1606.001 | Web Cookies | Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applicat… |
| T1606.002 | SAML Tokens | An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing … |
| T1621 | Multi-Factor Authentication Request Generation | Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating… |
| T1649 | Steal or Forge Authentication Certificates | Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certi… |