T1589.001: Credentials
Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.
Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via Phishing for Information. Adversaries may also compromise sites then add malicious content designed to collect website authentication cookies from visitors.[1] [2][3][4][5][6][7][8] Where multi-factor authentication (MFA) based on out-of-band communications is in use, adversaries may compromise a service provider to gain access to MFA codes and one-time passwords (OTP).[9]
Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: Search Engines, breach dumps, code repositories, etc.). Adversaries may purchase credentials from dark web markets, such as Russian Market and 2easy, or through access to Telegram channels that distribute logs from infostealer malware.[10][11][12]
Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Compromise Accounts), and/or initial access (ex: External Remote Services or Valid Accounts).
Analyst context for executives and security teams
This reconnaissance behavior matters because attackers can prepare an intrusion before touching the organization’s network by collecting passwords, tokens, cookies, or MFA-related information from leaks, phishing-for-information, code repositories, breach dumps, markets, or compromised third parties. For leaders, the key issue is whether exposed credentials would let an adversary move quickly into remote access, cloud services, or business applications using apparently legitimate identity activity.
Executive priority
Treat this as an identity exposure and pre-compromise risk, not only a SOC alerting problem. Leadership should ask whether the organization can prove it monitors for leaked corporate credentials and tokens, removes secrets from repositories, enforces resilient MFA, and has an incident process for rapid credential invalidation. The ATT&CK relationships show this behavior is used by multiple groups and campaigns, so control investment should prioritize reducing exposed identity material before it becomes initial access via Valid Accounts or External Remote Services.
Technical view
T1589.001 is a PRE-platform reconnaissance sub-technique under Gather Victim Identity Information. SOC, IR, identity, and cloud teams should validate coverage for exposed usernames/passwords, authentication cookies, API or bot tokens, credentials in public or accessible code repositories, breach-dump appearances, stealer-log exposure, and MFA/OTP abuse scenarios involving out-of-band providers. MITRE does not provide official detection text for this object, but the related detection strategy DET0813 indicates detection should focus on identifying exposed or collected credentials before they are used. Teams should connect findings to downstream ATT&CK paths such as Compromise Accounts, Valid Accounts, and External Remote Services.
Likely telemetry
- Credential exposure monitoring results from breach dumps, stealer-log sources, dark web or market intelligence, and public data sets
- Code repository and secret-scanning findings for passwords, cloud keys, API tokens, bot tokens, and configuration secrets
- Identity provider and remote access records showing attempted use of known-exposed accounts or abnormal authentication patterns
- MFA and OTP event records, including provider-side alerts where available
- Phishing-for-information reports, user submissions, and security awareness intake
Detection direction
- Validate whether DET0813-style detection is operationalized as a process: discover exposed credentials, confirm ownership, assess validity, revoke or rotate, and track remediation evidence.
- Tune detections to separate stale historical leaks from still-valid corporate accounts, privileged users, cloud/service credentials, and accounts tied to remote access paths.
- Include non-password secrets in scope; repository leaks, Slack or bot tokens, cloud service credentials, and cookies may create equivalent access risk.
- Correlate external exposure findings with identity logs to identify attempted use, password spraying, MFA prompts, or remote service authentication tied to exposed accounts.
- Account for blind spots: personal-account password reuse, third-party MFA/OTP provider compromise, private Telegram or market distribution, and repositories outside enterprise ownership may not be visible in internal telemetry.
Mitigation priorities
- Prioritize pre-compromise controls consistent with M1056: reduce externally available identity information and make credential collection less useful to adversaries.
- Enforce strong, phishing-resistant MFA where feasible and review processes for OTP or out-of-band provider dependencies.
- Implement secret scanning and remediation workflows for public and internal repositories before code or configuration is exposed.
- Maintain a credential exposure response process for forced resets, token rotation, session revocation, and validation that exposed credentials are no longer usable.
- Reduce credential reuse risk through password policy, user education, and monitoring of corporate identities appearing in external data sets.
Analyst notes and limits
The relationship context links this technique to the parent reconnaissance technique T1589 and to campaigns/groups including SolarWinds Compromise, C0027, APT28, Magic Hound, Leviathan, Chimera, and LAPSUS$. This supports prioritizing identity exposure management, but it does not imply those actors are targeting any specific organization. The practical value is in proving whether exposed identity material can be found, invalidated, and tied to downstream authentication risk.
MITRE provides no official detection text for this technique, and the platform is PRE, so many signals may come from external intelligence, repository scanning, identity telemetry, and response processes rather than endpoint logs. Local conclusions require environment-specific evidence about credential validity, MFA configuration, repository exposure, remote access paths, and third-party identity dependencies.
Credentials
Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.
Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via Phishing for Information. Adversaries may also compromise sites then add malicious content designed to collect website authentication cookies from visitors.[1] [2][3][4][5][6][7][8] Where multi-factor authentication (MFA) based on out-of-band communications is in use, adversaries may compromise a service provider to gain access to MFA codes and one-time passwords (OTP).[9]
Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: Search Engines, breach dumps, code repositories, etc.). Adversaries may purchase credentials from dark web markets, such as Russian Market and 2easy, or through access to Telegram channels that distribute logs from infostealer malware.[10][11][12]
Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Compromise Accounts), and/or initial access (ex: External Remote Services or Valid Accounts).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1589 | Gather Victim Identity Information | This object subtechnique of Gather Victim Identity Information. |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
G0059: Magic Hound
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[1][2][3][4][5]
G0065: Leviathan
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]
G1004: LAPSUS$
LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[1][2][3]
G0114: Chimera
C0024: SolarWinds Compromise
The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]
C0027: C0027
C0027 was a financially-motivated campaign linked to Scattered Spider that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During C0027 Scattered Spider used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 1533fcf4d560… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ATT ScanBox
Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.
Open source URL -
[2]
Register Deloitte
Thomson, I. (2017, September 26). Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy 'login details leaked'. Retrieved October 19, 2020.
Open source URL -
[3]
Register Uber
McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub into court to find who hacked database of 50,000 drivers. Retrieved October 19, 2020.
Open source URL -
[4]
Detectify Slack Tokens
Detectify. (2016, April 28). Slack bot token leakage exposing business critical information. Retrieved November 17, 2024.
Open source URL -
[5]
Forbes GitHub Creds
Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020.
Open source URL -
[6]
GitHub truffleHog
Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October 19, 2020.
Open source URL -
[7]
GitHub Gitrob
Michael Henriksen. (2018, June 9). Gitrob: Putting the Open Source in OSINT. Retrieved October 19, 2020.
Open source URL -
[8]
CNET Leaks
Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020.
Open source URL -
[9]
Okta Scatter Swine 2022
Okta. (2022, August 25). Detecting Scatter Swine: Insights into a Relentless Phishing Campaign. Retrieved February 24, 2023.
Open source URL -
[10]
Bleeping Computer 2easy 2021
Bill Toulas. (2021, December 21). 2easy now a significant dark web marketplace for stolen data. Retrieved October 7, 2024.
Open source URL -
[11]
SecureWorks Infostealers 2023
SecureWorks Counter Threat Unit Research Team. (2023, May 16). The Growing Threat from Infostealers. Retrieved October 10, 2024.
Open source URL -
[12]
Bleeping Computer Stealer Logs 2023
Flare. (2023, June 6). Dissecting the Dark Web Supply Chain: Stealer Logs in Context. Retrieved October 10, 2024.
Open source URL -
[13]
mitre-attack T1589.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.