Esc
Exploitation for Credential Access - T1212
(ATT&CK® Technique)
Definition
Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1212["Exploitation for Credential Access"] --> |may-modify| StackFrame["Stack Frame"]; class T1212 OffensiveTechniqueNode;
class StackFrame ArtifactNode; click StackFrame href "../../../dao/artifact/d3f:StackFrame";
click T1212 href "../../../offensive-technique/attack/T1212/"; click StackFrame href "../../../dao/artifact/d3f:StackFrame"; T1212["Exploitation for Credential Access"] --> |may-modify| ProcessCodeSegment["Process Code Segment"]; class T1212 OffensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode; click ProcessCodeSegment href "../../../dao/artifact/d3f:ProcessCodeSegment";
click T1212 href "../../../offensive-technique/attack/T1212/"; click ProcessCodeSegment href "../../../dao/artifact/d3f:ProcessCodeSegment"; T1212["Exploitation for Credential Access"] --> |may-access| CredentialManagementSystem["Credential Management System"]; class T1212 OffensiveTechniqueNode;
class CredentialManagementSystem ArtifactNode; click CredentialManagementSystem href "../../../dao/artifact/d3f:CredentialManagementSystem";
click T1212 href "../../../offensive-technique/attack/T1212/"; click CredentialManagementSystem href "../../../dao/artifact/d3f:CredentialManagementSystem"; T1212["Exploitation for Credential Access"] --> |may-access| AuthenticationService["Authentication Service"]; class T1212 OffensiveTechniqueNode;
class AuthenticationService ArtifactNode; click AuthenticationService href "../../../dao/artifact/d3f:AuthenticationService";
click T1212 href "../../../offensive-technique/attack/T1212/"; click AuthenticationService href "../../../dao/artifact/d3f:AuthenticationService"; ShadowStackComparisons["Shadow Stack Comparisons"] -->
| analyzes | StackFrame["Stack Frame"];
ShadowStackComparisons["Shadow Stack Comparisons"] -.->
| may-detect | T1212["Exploitation for Credential Access"] ;
class ShadowStackComparisons DefensiveTechniqueNode;
class StackFrame ArtifactNode;
click ShadowStackComparisons href "../../../technique/d3f:ShadowStackComparisons"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1212["Exploitation for Credential Access"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSpawnAnalysis href "../../../technique/d3f:ProcessSpawnAnalysis"; ProcessCodeSegmentVerification["Process Code Segment Verification"] -->
| verifies | ProcessCodeSegment["Process Code Segment"];
ProcessCodeSegmentVerification["Process Code Segment Verification"] -.->
| may-detect | T1212["Exploitation for Credential Access"] ;
class ProcessCodeSegmentVerification DefensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode;
click ProcessCodeSegmentVerification href "../../../technique/d3f:ProcessCodeSegmentVerification"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
| may-detect | T1212["Exploitation for Credential Access"] ;
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSelf-ModificationDetection href "../../../technique/d3f:ProcessSelf-ModificationDetection"; HostShutdown["Host Shutdown"] -->
| terminates | AuthenticationService["Authentication Service"];
HostShutdown["Host Shutdown"] -.->
| may-evict | T1212["Exploitation for Credential Access"] ;
class HostShutdown DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click HostShutdown href "../../../technique/d3f:HostShutdown"; ProcessTermination["Process Termination"] -->
| terminates | AuthenticationService["Authentication Service"];
ProcessTermination["Process Termination"] -.->
| may-evict | T1212["Exploitation for Credential Access"] ;
class ProcessTermination DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessTermination href "../../../technique/d3f:ProcessTermination"; ProcessSuspension["Process Suspension"] -->
| suspends | AuthenticationService["Authentication Service"];
ProcessSuspension["Process Suspension"] -.->
| may-evict | T1212["Exploitation for Credential Access"] ;
class ProcessSuspension DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSuspension href "../../../technique/d3f:ProcessSuspension"; SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] -->
| obfuscates | ProcessCodeSegment["Process Code Segment"];
SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] -.->
| may-harden | T1212["Exploitation for Credential Access"] ;
class SegmentAddressOffsetRandomization DefensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode;
click SegmentAddressOffsetRandomization href "../../../technique/d3f:SegmentAddressOffsetRandomization"; StackFrameCanaryValidation["Stack Frame Canary Validation"] -->
| validates | StackFrame["Stack Frame"];
StackFrameCanaryValidation["Stack Frame Canary Validation"] -.->
| may-harden | T1212["Exploitation for Credential Access"] ;
class StackFrameCanaryValidation DefensiveTechniqueNode;
class StackFrame ArtifactNode;
click StackFrameCanaryValidation href "../../../technique/d3f:StackFrameCanaryValidation"; ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] -->
| neutralizes | ProcessCodeSegment["Process Code Segment"];
ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] -.->
| may-harden | T1212["Exploitation for Credential Access"] ;
class ProcessSegmentExecutionPrevention DefensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode;
click ProcessSegmentExecutionPrevention href "../../../technique/d3f:ProcessSegmentExecutionPrevention"; SoftwareUpdate["Software Update"] -->
| updates | CredentialManagementSystem["Credential Management System"];
SoftwareUpdate["Software Update"] -.->
| may-harden | T1212["Exploitation for Credential Access"] ;
class SoftwareUpdate DefensiveTechniqueNode;
class CredentialManagementSystem ArtifactNode;
click SoftwareUpdate href "../../../technique/d3f:SoftwareUpdate"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Application-basedProcessIsolation["Application-based Process Isolation"] -.->
| may-isolate | T1212["Exploitation for Credential Access"] ;
class Application-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Application-basedProcessIsolation href "../../../technique/d3f:Application-basedProcessIsolation"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.->
| may-isolate | T1212["Exploitation for Credential Access"] ;
class Kernel-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Kernel-basedProcessIsolation href "../../../technique/d3f:Kernel-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1212["Exploitation for Credential Access"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Hardware-basedProcessIsolation href "../../../technique/d3f:Hardware-basedProcessIsolation"; SystemCallFiltering["System Call Filtering"] -->
| isolates | AuthenticationService["Authentication Service"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1212["Exploitation for Credential Access"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click SystemCallFiltering href "../../../technique/d3f:SystemCallFiltering"; RestoreSoftware["Restore Software"] -->
| restores | CredentialManagementSystem["Credential Management System"];
RestoreSoftware["Restore Software"] -.->
| may-restore | T1212["Exploitation for Credential Access"] ;
class RestoreSoftware DefensiveTechniqueNode;
class CredentialManagementSystem ArtifactNode;
click RestoreSoftware href "../../../technique/d3f:RestoreSoftware"; MemoryBoundaryTracking["Memory Boundary Tracking"] -->
| analyzes | ProcessCodeSegment["Process Code Segment"];
MemoryBoundaryTracking["Memory Boundary Tracking"] -.->
| may-detect | T1212["Exploitation for Credential Access"] ;
class MemoryBoundaryTracking DefensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode;
click MemoryBoundaryTracking href "../../../technique/d3f:MemoryBoundaryTracking"; ServiceBinaryVerification["Service Binary Verification"] -->
| verifies | CredentialManagementSystem["Credential Management System"];
ServiceBinaryVerification["Service Binary Verification"] -.->
| may-detect | T1212["Exploitation for Credential Access"] ;
class ServiceBinaryVerification DefensiveTechniqueNode;
class CredentialManagementSystem ArtifactNode;
click ServiceBinaryVerification href "../../../technique/d3f:ServiceBinaryVerification"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessLineageAnalysis["Process Lineage Analysis"] -.->
| may-detect | T1212["Exploitation for Credential Access"] ;
class ProcessLineageAnalysis DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessLineageAnalysis href "../../../technique/d3f:ProcessLineageAnalysis"; HostReboot["Host Reboot"] -->
| terminates | AuthenticationService["Authentication Service"];
HostReboot["Host Reboot"] -.->
| may-evict | T1212["Exploitation for Credential Access"] ;
class HostReboot DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click HostReboot href "../../../technique/d3f:HostReboot"; WebSessionAccessMediation["Web Session Access Mediation"] -->
| isolates | AuthenticationService["Authentication Service"];
WebSessionAccessMediation["Web Session Access Mediation"] -.->
| may-isolate | T1212["Exploitation for Credential Access"] ;
class WebSessionAccessMediation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click WebSessionAccessMediation href "../../../technique/d3f:WebSessionAccessMediation";