Credential access is the attacker phase of stealing account credentials, passwords, password hashes, Kerberos tickets, and API keys, to authenticate as legitimate users and spread through an environment. Credentials are harvested from memory (LSASS), registry hives (SAM, LSA secrets), disk (config files, /etc/shadow), the network (LLMNR poisoning), and applications (browsers, Credential Manager). It is the engine behind lateral movement, because a reused credential turns one host into many.
What credential access is
Once an attacker has a foothold, they rarely have the credentials they ultimately want. Credential access is the work of harvesting more: every password, hash, ticket, or key they can pull from the machine and the network.
Those credentials are the currency of an intrusion. With them the attacker authenticates as real users, so their activity blends in and they can reach systems their initial foothold never could.
Where credentials hide
Credentials live in many places, each with its own page:
- Memory: the LSASS process caches signed-in users’ secrets.
- Registry hives: the SAM (local hashes), LSA secrets, and cached domain credentials.
- Application stores: DPAPI, Credential Manager, and browsers.
- Disk: /etc/shadow and unsecured credentials in files.
- The network: LLMNR poisoning captures hashes on the wire.
What attackers do with credentials
Harvested credentials feed straight into lateral movement. Cleartext passwords are reused directly; hashes are either cracked with Hashcat or John, or used as-is via Pass-the-Hash; tickets are replayed with Pass-the-Ticket.
The loop, dump on host A, reuse on host B, dump host B, is what carries an attacker to a Domain Controller.