# TA0006 — Credential Access ## Descrição O Acesso a Credenciais engloba as técnicas usadas pelo adversário para **roubar nomes de usuário e senhas** — ou hashes que podem ser usados como substitutos de senha. Credenciais são o "ouro" de uma operação: com credenciais legítimas de Domain Admin, o atacante pode mover-se lateralmente sem disparar alarmes, pois toda atividade parece ser de um usuário autorizado. As fontes de credenciais são diversas: memória do processo lsass.exe ([[t1003-os-credential-dumping|T1003]]), arquivos de configuração, navegadores web, gerenciadores de senha, bases de dados internas, e técnicas interativas como keylogging ([[t1056-input-capture|T1056]]) e ataques de força bruta ([[t1110-brute-force|T1110]]). Em ambientes Active Directory, o dump de credenciais é quase sempre o objetivo intermediário antes do comprometimento total do domínio. Ferramentas como Mimikatz, LaZagne, Impacket e BloodHound tornaram o credential dumping e a análise de Active Directory acessíveis a grupos menos sofisticados. Em operações de ransomware, o dump de credenciais de Domain Admin é o pré-requisito para o deploy em massa do payload criptografador em toda a rede. ## Posição no Kill Chain ```mermaid graph TB R["Reconhecimento"]:::inactive --> RD["Desenvolvimento<br/>de Recursos"]:::inactive RD --> IA["Acesso Inicial"]:::inactive IA --> EX["Execução"]:::inactive EX --> PE["Persistência"]:::inactive PE --> PR["Esc. Privilégios"]:::inactive PR --> DE["Evasão de Defesas"]:::inactive DE --> CA["🔑 Acesso a<br/>Credenciais"]:::active CA --> DI["Descoberta"]:::inactive DI --> LM["Mov. Lateral"]:::inactive LM --> CO["Coleta"]:::inactive CO --> C2["Comando e<br/>Controle"]:::inactive C2 --> EXF["Exfiltração"]:::inactive EXF --> IM["Impacto"]:::inactive classDef active fill:#e74c3c,color:#fff,stroke:#c0392b,stroke-width:3px classDef inactive fill:#2c3e50,color:#95a5a6,stroke:#1a252f ``` ## Técnicas desta Tática no Vault %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nota", mitre-id AS "ID", title AS "Técnica", platforms AS "Plataformas" FROM "ttp/techniques" WHERE contains(mitre-tactic, "Credential Access") SORT mitre-id ASC ``` %% <!-- QueryToSerialize: TABLE WITHOUT ID link(file.link, title) AS "Nota", mitre-id AS "ID", title AS "Técnica", platforms AS "Plataformas" FROM "ttp/techniques" WHERE contains(mitre-tactic, "Credential Access") SORT mitre-id ASC --> <!-- SerializedQuery: TABLE WITHOUT ID link(file.link, title) AS "Nota", mitre-id AS "ID", title AS "Técnica", platforms AS "Plataformas" FROM "ttp/techniques" WHERE contains(mitre-tactic, "Credential Access") SORT mitre-id ASC --> | Nota | ID | Técnica | Plataformas | | ---------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | ------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [[t1003-os-credential-dumping\|T1003 - OS Credential Dumping]] | T1003 | T1003 - OS Credential Dumping | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1003-001-lsass-memory\|T1003.001 - LSASS Memory]] | T1003.001 | T1003.001 - LSASS Memory | <ul><li>Windows</li></ul> | | [[t1003-002-security-account-manager\|T1003.002 - Security Account Manager]] | T1003.002 | T1003.002 - Security Account Manager | <ul><li>Windows</li></ul> | | [[t1003-003-ntds\|T1003.003 - NTDS]] | T1003.003 | T1003.003 - NTDS | <ul><li>Windows</li></ul> | | [[t1003-004-lsa-secrets\|T1003.004 - LSA Secrets]] | T1003.004 | T1003.004 - LSA Secrets | <ul><li>Windows</li></ul> | | [[t1003-005-cached-domain-credentials\|T1003.005 - Cached Domain Credentials]] | T1003.005 | T1003.005 - Cached Domain Credentials | <ul><li>Windows</li><li>Linux</li></ul> | | [[t1003-006-dcsync\|T1003.006 - DCSync]] | T1003.006 | T1003.006 - DCSync | <ul><li>Windows</li></ul> | | [[t1003-007-proc-filesystem\|T1003.007 - Proc Filesystem]] | T1003.007 | T1003.007 - Proc Filesystem | <ul><li>Linux</li></ul> | | [[t1003-008-etcpasswd-and-etcshadow\|T1003.008 - /etc/passwd and /etc/shadow]] | T1003.008 | T1003.008 - /etc/passwd and /etc/shadow | <ul><li>Linux</li></ul> | | [[t1040-network-sniffing\|T1040 - Network Sniffing]] | T1040 | T1040 - Network Sniffing | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>Network Devices</li><li>IaaS</li></ul> | | [[t1110-brute-force\|T1110 - Brute Force]] | T1110 | T1110 - Brute Force | <ul><li>Containers</li><li>ESXi</li><li>IaaS</li><li>Identity Provider</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Office Suite</li><li>SaaS</li><li>Windows</li></ul> | | [[t1110-001-password-guessing\|T1110.001 - Password Guessing]] | T1110.001 | T1110.001 - Password Guessing | <ul><li>Windows</li><li>SaaS</li><li>IaaS</li><li>Linux</li><li>macOS</li><li>Containers</li><li>Network Devices</li><li>Office Suite</li><li>Identity Provider</li><li>ESXi</li></ul> | | [[t1110-002-password-cracking\|T1110.002 - Password Cracking]] | T1110.002 | T1110.002 - Password Cracking | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>Network Devices</li><li>Office Suite</li><li>Identity Provider</li></ul> | | [[t1110-003-password-spraying\|T1110.003 - Password Spraying]] | T1110.003 | T1110.003 - Password Spraying | <ul><li>Containers</li><li>ESXi</li><li>IaaS</li><li>Identity Provider</li><li>Linux</li><li>Network Devices</li><li>Office Suite</li><li>SaaS</li><li>Windows</li><li>macOS</li></ul> | | [[t1110-004-credential-stuffing\|T1110.004 - Credential Stuffing]] | T1110.004 | T1110.004 - Credential Stuffing | <ul><li>Windows</li><li>SaaS</li><li>IaaS</li><li>Linux</li><li>macOS</li><li>Containers</li><li>Network Devices</li><li>Office Suite</li><li>Identity Provider</li><li>ESXi</li></ul> | | [[t1111-multi-factor-authentication-interception\|T1111 - Multi-Factor Authentication Interception]] | T1111 | T1111 - Multi-Factor Authentication Interception | <ul><li>Linux</li><li>Windows</li><li>macOS</li></ul> | | [[t1187-forced-authentication\|T1187 - Forced Authentication]] | T1187 | T1187 - Forced Authentication | <ul><li>Windows</li></ul> | | [[t1212-exploitation-for-credential-access\|T1212 - Exploitation for Credential Access]] | T1212 | T1212 - Exploitation for Credential Access | <ul><li>Linux</li><li>Windows</li><li>macOS</li><li>Identity Provider</li></ul> | | [[t1528-steal-application-access-token\|T1528 - Steal Application Access Token]] | T1528 | T1528 - Steal Application Access Token | <ul><li>SaaS</li><li>Containers</li><li>IaaS</li><li>Office Suite</li><li>Identity Provider</li></ul> | | [[t1539-steal-web-session-cookie\|T1539 - Steal Web Session Cookie]] | T1539 | T1539 - Steal Web Session Cookie | <ul><li>Linux</li><li>Office Suite</li><li>SaaS</li><li>Windows</li><li>macOS</li></ul> | | [[t1552-unsecured-credentials\|T1552 - Unsecured Credentials]] | T1552 | T1552 - Unsecured Credentials | <ul><li>Windows</li><li>SaaS</li><li>IaaS</li><li>Linux</li><li>macOS</li><li>Containers</li><li>Network Devices</li><li>Office Suite</li><li>Identity Provider</li></ul> | | [[t1552-001-credentials-in-files\|T1552.001 - Credentials In Files]] | T1552.001 | T1552.001 - Credentials In Files | <ul><li>Containers</li><li>IaaS</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1552-002-credentials-in-registry\|T1552.002 - Credentials in Registry]] | T1552.002 | T1552.002 - Credentials in Registry | <ul><li>Windows</li></ul> | | [[t1552-003-shell-history\|T1552.003 - Shell History]] | T1552.003 | T1552.003 - Shell History | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1552-004-private-keys\|T1552.004 - Private Keys]] | T1552.004 | T1552.004 - Private Keys | <ul><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1552-005-cloud-instance-metadata-api\|T1552.005 - Cloud Instance Metadata API]] | T1552.005 | T1552.005 - Cloud Instance Metadata API | <ul><li>IaaS</li></ul> | | [[t1552-006-group-policy-preferences\|T1552.006 - Group Policy Preferences]] | T1552.006 | T1552.006 - Group Policy Preferences | <ul><li>Windows</li></ul> | | [[t1552-007-container-api\|T1552.007 - Container API]] | T1552.007 | T1552.007 - Container API | <ul><li>Containers</li></ul> | | [[t1552-008-chat-messages\|T1552.008 - Chat Messages]] | T1552.008 | T1552.008 - Chat Messages | <ul><li>SaaS</li><li>Office Suite</li></ul> | | [[t1555-credentials-from-password-stores\|T1555 - Credentials from Password Stores]] | T1555 | T1555 - Credentials from Password Stores | <ul><li>IaaS</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1555-001-keychain\|T1555.001 - Keychain]] | T1555.001 | T1555.001 - Keychain | <ul><li>macOS</li></ul> | | [[t1555-002-securityd-memory\|T1555.002 - Securityd Memory]] | T1555.002 | T1555.002 - Securityd Memory | <ul><li>Linux</li><li>macOS</li></ul> | | [[t1555-003-credentials-from-web-browsers\|T1555.003 - Credentials from Web Browsers]] | T1555.003 | T1555.003 - Credentials from Web Browsers | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1555-004-windows-credential-manager\|T1555.004 - Windows Credential Manager]] | T1555.004 | T1555.004 - Windows Credential Manager | <ul><li>Windows</li></ul> | | [[t1555-005-password-managers\|T1555.005 - Password Managers]] | T1555.005 | T1555.005 - Password Managers | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1555-006-cloud-secrets-management-stores\|T1555.006 - Cloud Secrets Management Stores]] | T1555.006 | T1555.006 - Cloud Secrets Management Stores | <ul><li>IaaS</li></ul> | | [[t1556-modify-authentication-process\|T1556 - Modify Authentication Process]] | T1556 | T1556 - Modify Authentication Process | <ul><li>Windows</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>IaaS</li><li>SaaS</li><li>Office Suite</li><li>Identity Provider</li></ul> | | [[t1556-001-domain-controller-authentication\|T1556.001 - Domain Controller Authentication]] | T1556.001 | T1556.001 - Domain Controller Authentication | <ul><li>Windows</li></ul> | | [[t1556-002-password-filter-dll\|T1556.002 - Password Filter DLL]] | T1556.002 | T1556.002 - Password Filter DLL | <ul><li>Windows</li></ul> | | [[t1556-003-pluggable-authentication-modules\|T1556.003 - Pluggable Authentication Modules]] | T1556.003 | T1556.003 - Pluggable Authentication Modules | <ul><li>Linux</li><li>macOS</li></ul> | | [[t1556-004-network-device-authentication\|T1556.004 - Network Device Authentication]] | T1556.004 | T1556.004 - Network Device Authentication | <ul><li>Network Devices</li></ul> | | [[t1556-005-reversible-encryption\|T1556.005 - Reversible Encryption]] | T1556.005 | T1556.005 - Reversible Encryption | <ul><li>Windows</li></ul> | | [[t1556-006-multi-factor-authentication\|T1556.006 - Multi-Factor Authentication]] | T1556.006 | T1556.006 - Multi-Factor Authentication | <ul><li>Windows</li><li>SaaS</li><li>IaaS</li><li>Linux</li><li>macOS</li><li>Office Suite</li><li>Identity Provider</li></ul> | | [[t1556-007-hybrid-identity\|T1556.007 - Hybrid Identity]] | T1556.007 | T1556.007 - Hybrid Identity | <ul><li>Windows</li><li>SaaS</li><li>IaaS</li><li>Office Suite</li><li>Identity Provider</li></ul> | | [[t1556-008-network-provider-dll\|T1556.008 - Network Provider DLL]] | T1556.008 | T1556.008 - Network Provider DLL | <ul><li>Windows</li></ul> | | [[t1556-009-conditional-access-policies\|T1556.009 - Conditional Access Policies]] | T1556.009 | T1556.009 - Conditional Access Policies | <ul><li>IaaS</li><li>Identity Provider</li></ul> | | [[t1557-adversary-in-the-middle\|T1557 - Adversary-in-the-Middle]] | T1557 | T1557 - Adversary-in-the-Middle | <ul><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1557-001-llmnrnbt-ns-poisoning-and-smb-relay\|T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay]] | T1557.001 | T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay | <ul><li>Windows</li></ul> | | [[t1557-002-arp-cache-poisoning\|T1557.002 - ARP Cache Poisoning]] | T1557.002 | T1557.002 - ARP Cache Poisoning | <ul><li>Linux</li><li>Windows</li><li>macOS</li></ul> | | [[t1557-003-dhcp-spoofing\|T1557.003 - DHCP Spoofing]] | T1557.003 | T1557.003 - DHCP Spoofing | <ul><li>Linux</li><li>Windows</li><li>macOS</li></ul> | | [[t1557-004-evil-twin\|T1557.004 - Evil Twin]] | T1557.004 | T1557.004 - Evil Twin | <ul><li>Network Devices</li></ul> | | [[t1558-steal-or-forge-kerberos-tickets\|T1558 - Steal or Forge Kerberos Tickets]] | T1558 | T1558 - Steal or Forge Kerberos Tickets | <ul><li>Windows</li><li>Linux</li><li>macOS</li></ul> | | [[t1558-001-golden-ticket\|T1558.001 - Golden Ticket]] | T1558.001 | T1558.001 - Golden Ticket | <ul><li>Windows</li></ul> | | [[t1558-002-silver-ticket\|T1558.002 - Silver Ticket]] | T1558.002 | T1558.002 - Silver Ticket | <ul><li>Windows</li></ul> | | [[t1558-003-kerberoasting\|T1558.003 - Kerberoasting]] | T1558.003 | T1558.003 - Kerberoasting | <ul><li>Windows</li></ul> | | [[t1558-004-as-rep-roasting\|T1558.004 - AS-REP Roasting]] | T1558.004 | T1558.004 - AS-REP Roasting | <ul><li>Windows</li></ul> | | [[t1558-005-ccache-files\|T1558.005 - Ccache Files]] | T1558.005 | T1558.005 - Ccache Files | <ul><li>Linux</li><li>macOS</li></ul> | | [[t1606-forge-web-credentials\|T1606 - Forge Web Credentials]] | T1606 | T1606 - Forge Web Credentials | <ul><li>SaaS</li><li>Windows</li><li>macOS</li><li>Linux</li><li>IaaS</li><li>Office Suite</li><li>Identity Provider</li></ul> | | [[t1606-001-web-cookies\|T1606.001 - Web Cookies]] | T1606.001 | T1606.001 - Web Cookies | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>SaaS</li><li>IaaS</li></ul> | | [[t1606-002-saml-tokens\|T1606.002 - SAML Tokens]] | T1606.002 | T1606.002 - SAML Tokens | <ul><li>SaaS</li><li>Windows</li><li>IaaS</li><li>Office Suite</li><li>Identity Provider</li></ul> | | [[t1621-multi-factor-authentication-request-generation\|T1621 - Multi-Factor Authentication Request Generation]] | T1621 | T1621 - Multi-Factor Authentication Request Generation | <ul><li>Windows</li><li>Linux</li><li>macOS</li><li>IaaS</li><li>SaaS</li><li>Office Suite</li><li>Identity Provider</li></ul> | | [[t1649-steal-or-forge-authentication-certificates\|T1649 - Steal or Forge Authentication Certificates]] | T1649 | T1649 - Steal or Forge Authentication Certificates | <ul><li>Windows</li><li>Linux</li><li>macOS</li><li>Identity Provider</li></ul> | <!-- SerializedQuery END --> ## Mindmap — Técnicas de Acesso a Credenciais ```mermaid mindmap root((TA0006<br/>Credential Access)) Dump de Memória T1003 OS Credential Dumping Mimikatz sekurlsa LSASS Process Dump DCSync via lsadump Força Bruta T1110 Brute Force T1110.001 Password Guessing T1110.003 Password Spraying T1110.004 Credential Stuffing Captura de Input T1056 Input Capture Keylogging Web Portal Capture Credential API Hooking Navegadores e Apps T1185 Browser Session Hijacking T1539 Steal Web Session Cookie T1555 Credentials from Password Stores Active Directory DCSync Kerberoasting AS-REP Roasting Golden Ticket Cloud T1606 Forge Web Credentials Token Theft MFA Fatigue ``` ## Atores que Utilizam esta Tática | Ator | Técnica de Credenciais Preferida | |------|----------------------------------| | [[Cozy Bear]] | Mimikatz/sekurlsa, DCSync, golden ticket em AD | | [[g0032-lazarus-group\|Lazarus Group]] | Credential dumping para acesso a exchanges de crypto | | [[Fancy Bear]] | Phishing de credenciais, credential stuffing | | [[lockbit\|LockBit Operators]] | Mimikatz, BloodHound para mapeamento AD, kerberoasting | | [[TA505]] | Dump pós-exploração de servidores, movimenta para AD | ## Detecção e Mitigação ### Detecção - **Event ID 4625:** Falha de logon — padrões de brute force / password spraying - **Sysmon Event ID 10:** Acesso ao processo lsass.exe por processos não-esperados - **Event ID 4648:** Logon com credenciais explícitas — uso de hashes (Pass-the-Hash) - **Alertas de EDR:** Mimikatz, ProcDump usado sobre lsass, secretsdump.py - **Honeypot Credentials:** Credenciais isca que nunca deveriam ser usadas — qualquer uso é alert ### Mitigação - **Credential Guard:** Isola credenciais NTLM/Kerberos em Virtualization-Based Security - **Protected Users Security Group:** Impede cache de credenciais e uso de NTLM para contas críticas - **MFA em todos os serviços:** Inválida credenciais mesmo que comprometidas - **LAPS (Local Administrator Password Solution):** Senhas únicas por host para contas locais - **Restringir acesso a lsass:** RunAsPPL habilita Protected Process Light ## Relevância LATAM/Brasil Credential stuffing é extremamente prevalente no Brasil — vazamentos de dados massivos (CPF, e-mail, senha) alimentam ataques contra serviços bancários digitais e plataformas de e-commerce. O [[feeds|CERT.br]] reporta consistentemente credential stuffing como um dos principais vetores de comprometimento de contas no país. O malware bancário brasileiro tem uma abordagem diferente: em vez de dump de AD, foca em keylogging e captura de credenciais bancárias diretamente via hooking de browsers — técnica especializada para o ecossistema financeiro do [[financial|setor financeiro]] brasileiro. - [[ta0005-defense-evasion|TA0005 - Defense Evasion]] — fase anterior - [[ta0007-discovery|TA0007 - Discovery]] — fase seguinte - [[t1003-os-credential-dumping|T1003 - OS Credential Dumping]] — dump via lsass/Mimikatz - [[t1110-brute-force|T1110 - Brute Force]] — força bruta e credential stuffing - [[t1056-input-capture|T1056 - Input Capture]] — keylogging - [[t1550-002-pass-the-hash|T1550.002 - Pass-the-Hash]] — uso de hash roubado - [[t1185-browser-session-hijacking|T1185 - Browser Session Hijacking]] — roubo de sessão web - [[ Cozy Bear]] — referência de credential access avançado em AD - [[_techniques|Índice de Técnicas]] — visão geral de todas as técnicas documentadas ## Referências - [[ta0006-*|MITRE ATT&CK - TA0006 Credential Access]] - [Microsoft — Detecting and Preventing Credential Theft](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/attractive-accounts-for-credential-theft)