DC0007: Web Credential Usage
An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202)
Analyst context for executives and security teams
Web Credential Usage is evidence that someone attempted to access a web-based network or computing resource using credentials. For leaders, this matters because web logins are often where identity risk, remote access, SaaS access, and audit accountability become visible. The value of this data component is not that it proves compromise by itself, but that it can help confirm whether the organization can reconstruct who tried to access what, when, and with which authentication outcome.
Executive priority
Prioritize this as an identity and incident-readiness evidence source. Security leaders should ask whether critical web-accessible resources produce usable credential-use logs, whether those logs are retained and searchable during investigations, and whether they support compliance questions around access attempts. Because ATT&CK provides no specific platform, tactic, or detection guidance for this object, priority should be driven by local business-critical applications, remote access paths, regulated systems, and services where credential misuse would affect continuity or auditability.
Technical view
SOC, detection, and IR teams should validate that web credential-use events are collected from relevant web authentication points and can be correlated with user, resource, timestamp, source, and authentication result where available. The official example references Windows Event ID 1202, but the ATT&CK object does not limit this component to a specific platform. Treat this as a foundational telemetry class for investigations involving web access attempts rather than a standalone detection analytic.
Likely telemetry
- Web authentication logs showing credential submission attempts
- Authentication success and failure events for web-accessible resources
- User/account identifiers associated with web access attempts
- Timestamps and target resource or application identifiers
- Source context such as client address or session metadata when locally available
Detection direction
- Confirm which critical web resources actually generate credential-use events and which do not.
- Validate log completeness, retention, timestamp accuracy, and ability to correlate web credential usage with identity records and application access logs.
- Tune analysis around unusual access patterns only with local baselines; the ATT&CK object provides no official detection logic.
- Account for false positives from normal user login failures, password resets, expired sessions, service accounts, and automated authentication flows.
- Identify blind spots such as unmanaged web applications, short log retention, missing failed-login records, or logs that lack user/resource context.
Mitigation priorities
- Inventory business-critical web authentication points and assign logging ownership.
- Ensure credential-use events are retained long enough to support incident response and compliance evidence needs.
- Standardize collection into SOC-accessible logging or SIEM workflows where appropriate.
- Prioritize stronger identity controls for high-risk web access paths, guided by local risk and policy requirements.
- Test incident response playbooks to confirm teams can reconstruct web credential-use timelines during an investigation.
Analyst notes and limits
This is a data component, not a technique or mitigation. Its primary defensive value is as evidence for monitoring and investigation of web credential access attempts. The supplied ATT&CK fields include a concise description and one example event reference, but no tactics, platforms, detection text, or relationships, so local architecture determines where this telemetry is most important.
No official detection guidance, platforms, tactics, labels, aliases, or relationship context were supplied. This take does not infer attacker behavior, active exploitation, attribution, or detection coverage. Organizations must validate applicability against their own web applications, identity providers, logging architecture, and retention requirements.
Web Credential Usage
An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202)
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | b967b094a8ec… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DC0007Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.