Legitimate credentials are the key elements behind successful cyber-attacks. Adversaries steal credentials for multiple reasons, sell them on the dark web, access computer systems, and maintain persistence. According to Verizon’s 2021 Data Breach Investigation Report (DBIR), 61% of all breaches involved credentials. The stolen credentials allow the creation of more accounts and target the organization-wide compromise.

This whitepaper focuses on understanding how adversaries can dump credentials using advanced tools and techniques and solutions for building a strong defense against credential theft. This document also captures credential access techniques mapped to MITRE ATT&CK using Red Canary’s Atomic Red Team tool, an open-source testing framework.