Live Active security incident? Get immediate response
MITRE ATT&CK® Tactic

TA0006: Credential Access

The adversary is trying to steal account names and passwords.

Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

EnterpriseTA0006TacticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Credential Access is the ATT&CK tactic for attempts to steal account names and passwords. For business leaders, this matters because stolen legitimate credentials can let an adversary look like a normal user, sustain access, and create additional accounts, making incidents harder to detect and contain.

Executive priority

Treat this as a core resilience and identity-risk priority rather than only a malware problem. Leaders should ask whether the organization can prove who accessed critical systems, whether suspicious use of legitimate credentials would be noticed quickly, and whether incident responders can revoke, rotate, and investigate credentials at business speed. This tactic also supports audit and compliance discussions around authentication controls, account governance, logging, and incident response readiness.

Technical view

ATT&CK provides this object as an enterprise tactic, not a specific technique, and no official detection text or platform scope is supplied. SOC, detection engineering, and IR teams should therefore validate coverage across the credential lifecycle: collection of authentication activity, visibility into account creation and changes, evidence of credential dumping or keylogging where relevant techniques are in scope locally, and response procedures for credential theft scenarios. Because legitimate credentials can reduce obvious malicious signals, detections should emphasize abnormal account behavior, privilege changes, and unusual access patterns rather than relying only on malware alerts.

Likely telemetry

  • Authentication and login events
  • Account creation, modification, and privilege-change records
  • Password reset and credential rotation records
  • Endpoint security events relevant to credential theft behaviors such as keylogging or credential dumping
  • Identity provider and directory service audit logs

Detection direction

  • Validate that identity and authentication logs are collected, retained, searchable, and correlated with endpoint and account-management activity.
  • Tune for suspicious use of legitimate credentials, including unusual access timing, source, sequence, or privilege context, while accounting for business travel, administrative maintenance, and service-account behavior as false-positive drivers.
  • Confirm that alerts can distinguish normal account administration from unexpected account creation or privilege expansion.
  • Use this tactic as a coverage-mapping category: because no official detection guidance is supplied for the tactic itself, map specific local detections to the relevant ATT&CK Credential Access techniques in your environment.

Mitigation priorities

  • Prioritize strong identity governance, least privilege, and rapid removal or restriction of unnecessary accounts and permissions.
  • Ensure credential reset, rotation, session revocation, and account-disable procedures are tested as part of incident response readiness.
  • Protect and monitor privileged accounts and administrative workflows, since stolen credentials can enable further access and account creation.
  • Use control validation and tabletop exercises to confirm that SOC and IR teams can detect and respond when an adversary uses valid credentials rather than overt malware behavior.
Analyst notes and limits

This object is a high-level ATT&CK tactic, so the practical value comes from using it as a planning and coverage lens for identity security, SOC visibility, and incident response readiness. The supplied ATT&CK description specifically notes keylogging, credential dumping, use of legitimate credentials, reduced detectability, and account creation as relevant concepts.

No platforms, official detection guidance, technique relationships, mitigations, or procedure examples were supplied for this object. Local environment architecture, identity systems, logging configuration, and mapped Credential Access techniques are required before making coverage or exposure claims.

Official MITRE ATT&CK definition

Credential Access

The adversary is trying to steal account names and passwords.

Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4c2a32116f5419c6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4c2a32116f54…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack TA0006
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use