Acquisition of Stolen Keys & Credentials

Adversaries may obtain stolen credentials or cryptographic keys through various illicit means to gain unauthorized access to applications and systems. Within the Resource Development phase, this sub-technique represents adversaries' efforts to acquire authentication material that has been previously exfiltrated from compromised systems, purchased from dark web marketplaces, or obtained via data breaches. Unlike self-generated credentials, these stolen assets provide immediate access to legitimate identities, allowing attackers to bypass traditional authentication controls without triggering anomaly detection systems that might flag new account creation. Adversaries typically leverage these stolen credentials to establish initial access, perform lateral movement, escalate privileges, or persist within the target environment. The value of these assets is particularly high when they include privileged accounts (such as administrator credentials), API keys with extensive permissions, or certificates that can be used for encrypting malicious traffic or signing malicious code. Organizations face significant challenges in detecting the use of legitimately-obtained but stolen credentials, as the authentication events may appear normal in security logs until unusual access patterns emerge.