AWS ChangePassword
Allows an IAM user to change their own AWS Management Console login password.
Credential Access
Credential Access
Section titled “Credential Access”The adversary is trying to steal account names and passwords.
Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.
In cloud environments, adversaries target API keys, service account credentials, and temporary security tokens. Techniques include querying instance metadata services (IMDS), accessing secrets managers, dumping environment variables from serverless functions, and harvesting credentials from code repositories or CI/CD pipelines.
View Credential Access on MITRE ATT&CK →Events Related to Credential Access
Section titled “Events Related to Credential Access”AWS CreateAccessKey
Creates a new long-term access key for an IAM user, enabling programmatic access to AWS services.
GCP generateAccessToken
Generates a short-lived OAuth2 access token for a service account, used for impersonation or workload federation. This is the admin activity audit log format; see also iam.serviceAccounts.getAccessToken for the data access format.
AWS GetAuthorizationToken
Retrieves an ECR authorization token for Docker image operations, seen in container escape and lateral movement chains.
AWS GetFederationToken
Returns temporary security credentials for a federated user, optionally scoped to an inline IAM policy.
AWS GetParameters
Retrieves one or more parameters from AWS Systems Manager Parameter Store, optionally decrypting SecureString values.
AWS GetPasswordData
Retrieves the encrypted Windows administrator password for a newly launched EC2 Windows instance.
AWS GetSecretValue
Retrieves the plaintext value of a secret stored in AWS Secrets Manager.
AWS GetSessionToken
Returns temporary credentials for an IAM user, typically used to satisfy an MFA requirement for subsequent API calls.
AWS GetSigninToken
Generates a sign-in token used to construct a federation URL for single sign-on to the AWS Management Console.
GCP google.iam.admin.v1.CreateServiceAccountKey
Creates a new key for a GCP service account, producing a JSON credentials file for programmatic authentication. This is the admin activity audit log format; see also iam.serviceAccountKeys.create for the data access format.
GCP iam.serviceAccountKeys.create
Creates a new key for a GCP service account, generating credentials for external services to authenticate as the account. This is the data access audit log format; see also google.iam.admin.v1.CreateServiceAccountKey for the admin activity format.
GCP iam.serviceAccounts.getAccessToken
Generates an OAuth2 access token for a service account via the IAM Credentials API, enabling service account impersonation. This is the data access audit log format; see also generateAccessToken for the admin activity format.
GCP iam.serviceAccounts.signJwt
Signs a JWT on behalf of a service account via the IAM Credentials API, used for authentication or token exchange.
Azure Microsoft.AppConfiguration/configurationStores/listKeys/action
Lists the access keys for an Azure App Configuration store, exposing credentials used to read or write configuration data.
Azure Microsoft.Automation/automationAccounts/credentials/read
Reads credential assets stored in an Azure Automation account, potentially exposing sensitive authentication data.
Azure Microsoft.Batch/batchAccounts/listKeys/action
Lists the access keys for an Azure Batch account, exposing credentials used to authenticate Batch API calls.
Azure Microsoft.ContainerRegistry/registries/listCredentials/action
Lists the admin credentials for an Azure Container Registry, exposing the username and password for registry access.
Azure Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action
Retrieves the cluster-admin kubeconfig for an AKS cluster, granting full administrative access to the cluster.
Azure Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
Retrieves the user-level kubeconfig for an AKS cluster.
Azure Microsoft.Directory/servicePrincipals/credentials/update
Adds or updates credentials (client secrets or certificates) for an Entra ID service principal.
Azure Microsoft.KeyVault/vaults/accessPolicies/write
Modifies Key Vault access policies, potentially granting unauthorized access to secrets, keys, and certificates.
Azure Microsoft.KeyVault/vaults/certificates/read
Reads a certificate stored in an Azure Key Vault.
Azure Microsoft.KeyVault/vaults/keys/read
Reads a cryptographic key from an Azure Key Vault.
Azure Microsoft.KeyVault/vaults/secrets/read
Reads a secret value from an Azure Key Vault.
Azure Microsoft.OperationalInsights/workspaces/sharedKeys/action
Retrieves the primary and secondary access keys for a Log Analytics workspace.
Azure Microsoft.ServiceBus/namespaces/authorizationRules/listKeys/action
Lists the access keys for an Azure Service Bus namespace authorization rule, exposing connection strings for messaging.
Azure Microsoft.Storage/storageAccounts/listKeys/action
Lists the access keys for an Azure Storage account, exposing credentials that provide full data-plane access.
Azure Microsoft.Storage/storageAccounts/regenerateKey/action
Regenerates one of the two access keys for an Azure Storage account, invalidating the previous key.
Azure Microsoft.Web/sites/host/listKeys/action
Lists the host keys for an Azure App Service or Azure Functions app, exposing function-level and master access keys.
AWS PasswordRecoveryRequested
Records a request to recover or reset the AWS account root user password via the password reset process.
GCP SecretManagerService.AccessSecretVersion
Retrieves the plaintext value of a specific secret version from GCP Secret Manager.
AWS UpdateLoginProfile
Updates the console login password for an IAM user.
Azure VaultPatch
Updates the properties of an Azure Key Vault, such as its access policies, network rules, or soft-delete configuration.