# Acesso a Credenciais ```mermaid graph TB A["🔑 Objetivo: Credenciais"] --> B["💾 Dumping de Memoria<br/>T1003 - LSASS / NTDS"] A --> C["🔓 Forca Bruta<br/>T1110 - Spraying / Stuffing"] A --> D["🎭 Interceptacao MFA<br/>T1111 - MFA Bypass"] A --> E["🍪 Tokens e Cookies<br/>T1539 / T1528"] A --> F["🎟️ Kerberos Attacks<br/>T1558 - Golden / Silver Ticket"] B --> G["✅ Acesso Privilegiado<br/>Movimentacao Lateral"] C --> G D --> G E --> G F --> G ``` > [!info] Visão Geral > A tática de Acesso a Credenciais (TA0006) reune as técnicas utilizadas para roubar credenciais como senhas, hashes, tokens e certificados. O comprometimento de credenciais e um ponto de inflexao critico - permite ao atacante escalar privilegios, mover-se lateralmente e persistir no ambiente sem necessidade de exploits adicionais. > **Técnicas:** 62 técnicas abrangendo dumping de memoria, ataques Kerberos, force bruta, interceptação de MFA e roubo de tokens de aplicação. > **Destaque LATAM:** Credential stuffing contra portais bancarios e gov.br e extremamente prevalente no ecossistema de ameaças brasileiro. > [!warning] Contexto Brasil/LATAM > O Brasil e um dos paises com maior volume de vazamentos de credenciais em fóruns underground, alimentando campanhas de **credential stuffing (T1110.004)** contra bancos, e-commerce e servicos governamentais. Grupos como **Blind Eagle** e operadores de RATs bancarios como **Grandoreiro** e **Mekotio** especializam-se no roubo de credenciais financeiras. Ataques de **Kerberoasting (T1558.003)** também surgem em comprometimentos de Active Directory em grandes corporacoes brasileiras. > **62 técnicas** · Roubo de credenciais, tokens, hashes e senhas - keylogging, dumping, força bruta. %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nome" FROM "ttp/techniques/credential-access" WHERE type = "technique" SORT title ASC ``` %% <!-- QueryToSerialize: TABLE WITHOUT ID link(file.link, title) AS "Nota", title AS "Nome" FROM "ttp/techniques/credential-access" WHERE type = "technique" SORT title ASC --> <!-- SerializedQuery: TABLE WITHOUT ID link(file.link, title) AS "Nota", title AS "Nome" FROM "ttp/techniques/credential-access" WHERE type = "technique" SORT title ASC --> | Nota | Nome | | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | | [[t1003-os-credential-dumping\|T1003 - OS Credential Dumping]] | T1003 - OS Credential Dumping | | [[t1003-001-lsass-memory\|T1003.001 - LSASS Memory]] | T1003.001 - LSASS Memory | | [[t1003-002-security-account-manager\|T1003.002 - Security Account Manager]] | T1003.002 - Security Account Manager | | [[t1003-003-ntds\|T1003.003 - NTDS]] | T1003.003 - NTDS | | [[t1003-004-lsa-secrets\|T1003.004 - LSA Secrets]] | T1003.004 - LSA Secrets | | [[t1003-005-cached-domain-credentials\|T1003.005 - Cached Domain Credentials]] | T1003.005 - Cached Domain Credentials | | [[t1003-006-dcsync\|T1003.006 - DCSync]] | T1003.006 - DCSync | | [[t1003-007-proc-filesystem\|T1003.007 - Proc Filesystem]] | T1003.007 - Proc Filesystem | | [[t1003-008-etcpasswd-and-etcshadow\|T1003.008 - /etc/passwd and /etc/shadow]] | T1003.008 - /etc/passwd and /etc/shadow | | [[t1040-network-sniffing\|T1040 - Network Sniffing]] | T1040 - Network Sniffing | | [[t1110-brute-force\|T1110 - Brute Force]] | T1110 - Brute Force | | [[t1110-001-password-guessing\|T1110.001 - Password Guessing]] | T1110.001 - Password Guessing | | [[t1110-002-password-cracking\|T1110.002 - Password Cracking]] | T1110.002 - Password Cracking | | [[t1110-003-password-spraying\|T1110.003 - Password Spraying]] | T1110.003 - Password Spraying | | [[t1110-004-credential-stuffing\|T1110.004 - Credential Stuffing]] | T1110.004 - Credential Stuffing | | [[t1111-multi-factor-authentication-interception\|T1111 - Multi-Factor Authentication Interception]] | T1111 - Multi-Factor Authentication Interception | | [[t1187-forced-authentication\|T1187 - Forced Authentication]] | T1187 - Forced Authentication | | [[t1212-exploitation-for-credential-access\|T1212 - Exploitation for Credential Access]] | T1212 - Exploitation for Credential Access | | [[t1528-steal-application-access-token\|T1528 - Steal Application Access Token]] | T1528 - Steal Application Access Token | | [[t1539-steal-web-session-cookie\|T1539 - Steal Web Session Cookie]] | T1539 - Steal Web Session Cookie | | [[t1552-unsecured-credentials\|T1552 - Unsecured Credentials]] | T1552 - Unsecured Credentials | | [[t1552-001-credentials-in-files\|T1552.001 - Credentials In Files]] | T1552.001 - Credentials In Files | | [[t1552-002-credentials-in-registry\|T1552.002 - Credentials in Registry]] | T1552.002 - Credentials in Registry | | [[t1552-003-shell-history\|T1552.003 - Shell History]] | T1552.003 - Shell History | | [[t1552-004-private-keys\|T1552.004 - Private Keys]] | T1552.004 - Private Keys | | [[t1552-005-cloud-instance-metadata-api\|T1552.005 - Cloud Instance Metadata API]] | T1552.005 - Cloud Instance Metadata API | | [[t1552-006-group-policy-preferences\|T1552.006 - Group Policy Preferences]] | T1552.006 - Group Policy Preferences | | [[t1552-007-container-api\|T1552.007 - Container API]] | T1552.007 - Container API | | [[t1552-008-chat-messages\|T1552.008 - Chat Messages]] | T1552.008 - Chat Messages | | [[t1555-credentials-from-password-stores\|T1555 - Credentials from Password Stores]] | T1555 - Credentials from Password Stores | | [[t1555-001-keychain\|T1555.001 - Keychain]] | T1555.001 - Keychain | | [[t1555-002-securityd-memory\|T1555.002 - Securityd Memory]] | T1555.002 - Securityd Memory | | [[t1555-003-credentials-from-web-browsers\|T1555.003 - Credentials from Web Browsers]] | T1555.003 - Credentials from Web Browsers | | [[t1555-004-windows-credential-manager\|T1555.004 - Windows Credential Manager]] | T1555.004 - Windows Credential Manager | | [[t1555-005-password-managers\|T1555.005 - Password Managers]] | T1555.005 - Password Managers | | [[t1555-006-cloud-secrets-management-stores\|T1555.006 - Cloud Secrets Management Stores]] | T1555.006 - Cloud Secrets Management Stores | | [[t1556-modify-authentication-process\|T1556 - Modify Authentication Process]] | T1556 - Modify Authentication Process | | [[t1556-001-domain-controller-authentication\|T1556.001 - Domain Controller Authentication]] | T1556.001 - Domain Controller Authentication | | [[t1556-002-password-filter-dll\|T1556.002 - Password Filter DLL]] | T1556.002 - Password Filter DLL | | [[t1556-003-pluggable-authentication-modules\|T1556.003 - Pluggable Authentication Modules]] | T1556.003 - Pluggable Authentication Modules | | [[t1556-004-network-device-authentication\|T1556.004 - Network Device Authentication]] | T1556.004 - Network Device Authentication | | [[t1556-005-reversible-encryption\|T1556.005 - Reversible Encryption]] | T1556.005 - Reversible Encryption | | [[t1556-006-multi-factor-authentication\|T1556.006 - Multi-Factor Authentication]] | T1556.006 - Multi-Factor Authentication | | [[t1556-007-hybrid-identity\|T1556.007 - Hybrid Identity]] | T1556.007 - Hybrid Identity | | [[t1556-008-network-provider-dll\|T1556.008 - Network Provider DLL]] | T1556.008 - Network Provider DLL | | [[t1556-009-conditional-access-policies\|T1556.009 - Conditional Access Policies]] | T1556.009 - Conditional Access Policies | | [[t1557-adversary-in-the-middle\|T1557 - Adversary-in-the-Middle]] | T1557 - Adversary-in-the-Middle | | [[t1557-001-llmnrnbt-ns-poisoning-and-smb-relay\|T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay]] | T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay | | [[t1557-002-arp-cache-poisoning\|T1557.002 - ARP Cache Poisoning]] | T1557.002 - ARP Cache Poisoning | | [[t1557-003-dhcp-spoofing\|T1557.003 - DHCP Spoofing]] | T1557.003 - DHCP Spoofing | | [[t1557-004-evil-twin\|T1557.004 - Evil Twin]] | T1557.004 - Evil Twin | | [[t1558-steal-or-forge-kerberos-tickets\|T1558 - Steal or Forge Kerberos Tickets]] | T1558 - Steal or Forge Kerberos Tickets | | [[t1558-001-golden-ticket\|T1558.001 - Golden Ticket]] | T1558.001 - Golden Ticket | | [[t1558-002-silver-ticket\|T1558.002 - Silver Ticket]] | T1558.002 - Silver Ticket | | [[t1558-003-kerberoasting\|T1558.003 - Kerberoasting]] | T1558.003 - Kerberoasting | | [[t1558-004-as-rep-roasting\|T1558.004 - AS-REP Roasting]] | T1558.004 - AS-REP Roasting | | [[t1558-005-ccache-files\|T1558.005 - Ccache Files]] | T1558.005 - Ccache Files | | [[t1606-forge-web-credentials\|T1606 - Forge Web Credentials]] | T1606 - Forge Web Credentials | | [[t1606-001-web-cookies\|T1606.001 - Web Cookies]] | T1606.001 - Web Cookies | | [[t1606-002-saml-tokens\|T1606.002 - SAML Tokens]] | T1606.002 - SAML Tokens | | [[t1621-multi-factor-authentication-request-generation\|T1621 - Multi-Factor Authentication Request Generation]] | T1621 - Multi-Factor Authentication Request Generation | | [[t1649-steal-or-forge-authentication-certificates\|T1649 - Steal or Forge Authentication Certificates]] | T1649 - Steal or Forge Authentication Certificates | <!-- SerializedQuery END --> --- **Navegação:** [[_techniques|Técnicas]] · [[_tactics|Táticas]] · [[_procedures|Procedimentos]]