Over the past two years, I have dealt with more than fifty incidents, where the initial access began with one pair of login/steel logg password. In seven out of ten cases, less than 48 hours of the first login with stolen account data to domain admin took place. The record in the public field is supposedly about 40 minutes: the Muddled Libra group, according to Unit 42, passed from the initial access to the building door of Windows with built-in Windows and stolen creedials, without a single exploit (the exact metric requires verification on the source). It's not an anomaly. It is a reproducible pattern that works equally in commodity attacks and in nation-state operations.
Business logic: why attacks on accounting data are cheaper than exploits
Three vendor reports for 2024-2025 paint one picture. CrowdStrike Global Threat Report 2025: 75% of incursions used valid account data - Valid Accounts (T1078, Initial Access / Defense Evasion / Persistence / Privilege Escalation) The IBM X-Force Threat Intelligence Index 2025: the growth of identity-based attacks by 71% year-on-year, infoster with a share of 32% have become the most common type of malware, overtaking ransomware. Verizon DBIR 2025: 38% of data breaches are directly related to account theft.
The reason is purely economic. Zero-day in an enterprise-product costs tens to hundreds of thousands of dollars. A set of fresh credentials for an enterprise VPN on the marketplace - from $10 to $27 depending on the level of privileges . And here’s the important thing: credential-based initial access does not leave characteristic artifacts of operation. No shellcode in memory, no anomalies in the network traffic, no signatures in EDR. The attacker enters through the front entrance, and its session is indistinguishable from the legitimate one - until the moment of the lateral movement.
For the penesster and red team, the output is practical: in the presence of current stealer logs, you can completely soak the recon stage -> crazy -> foothold and immediately go to post-exploitation. For a security engineer - the model "detect an exploit on the perimeter" does not close three-quarters of real invasions. Three quarters. Not "some part."
Credential harvesting techniques: infosellers as malware-conveyor
Infosterers (malware stealer) - programs that are sharpened to the automatic collection of credentials from an infected machine. MITRE ATT&CK techniques that use modern stylers:
• Credentials from Web Browsers (T1555.003, Credential Access) - retrieval of saved passwords from Chrome, Firefox, Edge via direct access to Login Data files (SQLite-base) and decryption of DPAPI-protected entries. In fact, you dumbly read the file and pull DPAPI.
• Steal Web Session Cookies (T1539, Credential Access) - theft of session cookies that allows you to bypass the MFA. An attacking replay is a cookie and gets access to the session without a password and a second factor. The MFA is becoming a decoration.
• Keylogging (T1056 )- intercept keystrokes to capture manually entered passwords, including those that are not stored in the browser.
The entire zoo is working on the Malware-as-a-Service (MaaS) model. Lumma Stealer is the current market leader after the elimination of RedLine infrastructure as part of Operation Magnus (October 2024). Earlier, in May 2024, Operation Endgame touched upon several botnets-droppers (SmokeLoader, IcedID, Pikabot, etc.); the Endgame dataset in Have Been Pwned (16 466 858 email/password) was obtained from the styler logs confiscated as part of the operation, primarily RedLine and Meta Stealer. According to OSIBeond, RedLine infected 9.9 million devices before closing. Subscribing to Lumma or StealC costs $150-250 per month and includes a biller configurator, control panel and technical support. The entrance barrier is near zero: a couple of hundred dollars and basic skills.
According to secondary aggregators in the first half of 2025, infectologists stole about 1.8 billion credentials from 5.8 million devices - a claimed growth of 800% compared to the previous period (the primary source of the metric is not verified; similar estimates are published by Flashpoint and KELA, but with discrepancies in the methodology). The stylists stole more than 17 billion browser cookies in 2024 alone – including authentication tokens, allowing you to bypass the standard TTP-based MFA in most implementations.
Anatomy stealer log: what's inside
Typical stealer log - a directory with a predictable structure:
Initial Access Brokers and credential stuffing attacks: stealer logs on dark web
Between the collection of credentials style and account takeover (ATO) or ransomware-individual, the intermediary chain is optimized for speed.
Wholesale of stealer logs. The stylryantian operator unloads logs on marketplaces (English Market and analogues) or in Telegram channels. The cost of one log is about $10. "Raw" data sets are sold in bulk from $ 50, according to Kaspersky Digital Footprint Intelligence. Genesis Market before the liquidation of the Operation Cookie Monster (April 2023, FBI/Europol) offered access to about 80 million credentials with about 2 million bots.
Sorting and validation. Specialized groups buy logos in bulk and check the relevance. According to Push Security, less than 1% of stolen credentials from multi-vendor TI-Feders are suitable for use - the rest are outdated or dropped. But with an amount of 1.8 billion even 1%, it is 18 million working pairs. Enough.
Initial Access Broker (IAB). Proven access to corporate networks via RDP, VPN, Citrix is sold separately. The average price of standard access is $ 500-1 000, a package with admin privileges is about $2 700 IAB does not operate access themselves - resell ransomware-operators, APT-groups, BEC-fraudellers. Access broker underground market in its pure form, with its specialization and reputation system.
Credential stuffing (T11100.004, Credential Access) - automated check of stolen logins / password on many services. According to Push Security, 1 out of 3 employees reuses passwords, and 9% of identifiers have a repeatable password without MFA. One leak turns into a compromise of a dozen accounts. OWASP A07:2021 (Identification and Authentication Failures) pinister credential stuffing and password spraying as critical risks to web applications.
An example of the scale is the Nobitex crypto exchange. According to OSIBeond, the computers of the two employees were infected with StealC and RedLine months before the attack. The stylists quietly collected admin passwords, logins for webmail and project management systems. Through stolen access, the attackers penetrated into internal systems and pulled $81.7 million from hot wallets. Two infected laptops - 81 million.
A typical chain reproduced on the pentests and recorded in real incidents.
[Applicable to: internal pentest, grey box (outdated low-privcedentials) and black box; modern-infrastructure with Active Directory]
1. Initial Access - Valid Accounts (T1078) The attacker uses credentials from a style log to enter a corporate VPN or RDP. Without MFA - access is instant. With MFA, but in the presence of a session cookie (T1539) - MFA is cost. Change Healthcare Incident (February 2024): stolen credentials to Citrix without MFA led to the theft of data of more than 100 million patients (according to the UG, October 2024), the declared volume of 6 TB (statement of ALPHV/BlackCat, not confirmed by the victim), the damage of $ 872 million (Of. Q1 2024 report) and the payment of $2 million. One pair of logins/password - $872 million of damage.
2. Host Recon. whoami /all, systeminfo, tasklist - define privileges, version of the OS and the running processes of EDR-agents. In the grey box scripts (with low-privcrementials), this step critically affects the choice of vector: see SeDebugPrivilege -> we go to LSASS Memory; no privileges -> Kerberoasting or searching for misconfigure services.
3. Credential Dumping - LSASS Memory (T1003.001, Credential Access) Extraction of NTLM hashes and Kerberos-tickets from the memory lass.exe.
Evasion-context by vendor:
When the technique is NOT working: Credential Guard (Windows 10/11 Enterprise, Server 2016+) places NTLM hashes in an isolated LSA Isolated process - LSASS dump is useless. Alternatives: DCSync (if there are rights to replication), Kerberoasting (does not require privileges), DPAPI abuse to extract stored passwords. In practice, the Credential Guard is less common than we would like - many have not even included it even on Server 2019+.
4. Lateral Movement - Pass the Hash (T1550.002, Defense Evasion / Lateral Movement) NTLM hashes of step 3 are used for authentication on adjacent hosts. crackmapexec smb 10.0.0.0/24 -u admin -H <hash> for mass inspection, impacket-wmiexec to receive shell without a CD.
Restrictions: PtH works exclusively with NTLM-authentiation. In environments with forced Kerberos (AES-only, GPO "Network security: Restrict Restrict NTLM: NTLM authentication in this domain -> Deny ally") is inapplicable. CrowdStrike Falcon Identity Protection and Microsoft Defender for Identity generate an alterth to the PTH during the LogonType 3 + NtlmSsp detection without a previous event 4648. But I saw the environment where these alergs drown in noise - no one is watching.
5. Persistence - Golden Ticket (T1558.001, Credential Access) With the compromise of krbtgt (via DCSync with Domain Admins / Replicating Directory Changes), the attacker creates a fake Kerberos THCT with an arbitrary validity period. The fake TGT remains valid until a double reset of the password krbtgt (one reset does not invalidate the ticket, because. KDC stores current and keys). Two drops, more than one - this is regularly forgotten when reacting.
The entire chain in the absence of adequate monitoring takes 2-4 hours. In the case of Muddled Libra (Unit 42) - 40 minutes, with initial access through social engineering help desk instead of stealer logs.
Nation-state credential theft vs commodity: where the border passes
At the level of the technician (T1078, T1003.001, T1550.002) commodity and nation-state are often indistinguishable. Differences are manifested in OPSEC, timeline and goals.
Commodity (ransomware crews, BEC-groups):
• Source credentials: mass steal logs, public leaks (Exploit.In - 593 million records, LinkedIn - 164 million, according to Have I Been Pwned)
• Timeline: watches - days from initial access to impact
• OPSEC: minimum; noisy instruments, Cobalt Strike with default profiles
• Purpose: money - ransomware, data extortion, BEC
Nation-state (APT29, Iranian bands, DPRK):
• Source credentials: targeted phishing, supply chain, and stealer logs for quiet access to diplomatic mail
• Timeline: weeks - months, slow promotion
• OPSEC: high; living-off-the-land, legitimate RMM for C2, tunneling services
• Purpose: Espionage, Strategic Access
Case: Microsoft, January 2024. APT29 held a password spraying against the unproductive tenant Microsoft without an MFA. Through the compromised test OAuth-approbet application with increased privileges, she gained access to the employee email. According to Push Security, the attack continued during 2024 with a significant increase in the intensity of spraying and allegedly affected many external organizations (the exact scale is not verified independently). Microsoft. Test tenant without MFA. You read and you don't believe it.
Case: Snowflake, April-June 2024. 165 organizations are compromised through credentials from styler logs dating back to 2020. No injured account used MFA. According to Vectra, six families of infosilers are involved. The boundary between the commodity and the APT here is blurred: commodity (stealer logs with a marketplace), coordination is the level of an organized group.
According to CrowdStrike, China-nexus adversaries’ activity grew by 150% in 2024, and GenaI’s malicious use for social engineering has doubled – both trends directly fuel credential exposure and compromise accounts.
Detection: specific rules for SIEM against credential-based attacks
4. Session cookie replay (T1539) Monitoring impossible travel: a new session at M365/Google Workspace with IP, geographically incompatible with the previous one behind short timeframe. Google Chrome is implementing Device Bound Session Credentials (DBSC) - binding to TPM, which makes replay impossible, but there is no mass deployment yet.
Limitation of all detectives. According to Unit 42, sectual-based attacks are not due to advanced techniques, but because organizations miss or incorrectly classify critical signals. Alert rate and low detection coverage are the main enablers. The average gap between infection with infosiler and detection is 4 days (Vectra). Four days. During this time, you can pass the entire kill chain twice. OWASP A09:2021 (Security Logging and Monitoring Failures) describes a situation in which the lack of adequate logging makes the detection of compromise of accounts impossible, regardless of the quality of the correlation rules.
Business logic: why attacks on accounting data are cheaper than exploits
Three vendor reports for 2024-2025 paint one picture. CrowdStrike Global Threat Report 2025: 75% of incursions used valid account data - Valid Accounts (T1078, Initial Access / Defense Evasion / Persistence / Privilege Escalation) The IBM X-Force Threat Intelligence Index 2025: the growth of identity-based attacks by 71% year-on-year, infoster with a share of 32% have become the most common type of malware, overtaking ransomware. Verizon DBIR 2025: 38% of data breaches are directly related to account theft.
The reason is purely economic. Zero-day in an enterprise-product costs tens to hundreds of thousands of dollars. A set of fresh credentials for an enterprise VPN on the marketplace - from $10 to $27 depending on the level of privileges . And here’s the important thing: credential-based initial access does not leave characteristic artifacts of operation. No shellcode in memory, no anomalies in the network traffic, no signatures in EDR. The attacker enters through the front entrance, and its session is indistinguishable from the legitimate one - until the moment of the lateral movement.
For the penesster and red team, the output is practical: in the presence of current stealer logs, you can completely soak the recon stage -> crazy -> foothold and immediately go to post-exploitation. For a security engineer - the model "detect an exploit on the perimeter" does not close three-quarters of real invasions. Three quarters. Not "some part."
Credential harvesting techniques: infosellers as malware-conveyor
Infosterers (malware stealer) - programs that are sharpened to the automatic collection of credentials from an infected machine. MITRE ATT&CK techniques that use modern stylers:
• Credentials from Web Browsers (T1555.003, Credential Access) - retrieval of saved passwords from Chrome, Firefox, Edge via direct access to Login Data files (SQLite-base) and decryption of DPAPI-protected entries. In fact, you dumbly read the file and pull DPAPI.
• Steal Web Session Cookies (T1539, Credential Access) - theft of session cookies that allows you to bypass the MFA. An attacking replay is a cookie and gets access to the session without a password and a second factor. The MFA is becoming a decoration.
• Keylogging (T1056 )- intercept keystrokes to capture manually entered passwords, including those that are not stored in the browser.
The entire zoo is working on the Malware-as-a-Service (MaaS) model. Lumma Stealer is the current market leader after the elimination of RedLine infrastructure as part of Operation Magnus (October 2024). Earlier, in May 2024, Operation Endgame touched upon several botnets-droppers (SmokeLoader, IcedID, Pikabot, etc.); the Endgame dataset in Have Been Pwned (16 466 858 email/password) was obtained from the styler logs confiscated as part of the operation, primarily RedLine and Meta Stealer. According to OSIBeond, RedLine infected 9.9 million devices before closing. Subscribing to Lumma or StealC costs $150-250 per month and includes a biller configurator, control panel and technical support. The entrance barrier is near zero: a couple of hundred dollars and basic skills.
According to secondary aggregators in the first half of 2025, infectologists stole about 1.8 billion credentials from 5.8 million devices - a claimed growth of 800% compared to the previous period (the primary source of the metric is not verified; similar estimates are published by Flashpoint and KELA, but with discrepancies in the methodology). The stylists stole more than 17 billion browser cookies in 2024 alone – including authentication tokens, allowing you to bypass the standard TTP-based MFA in most implementations.
Anatomy stealer log: what's inside
Typical stealer log - a directory with a predictable structure:
For the pentester and IR-analyst, three elements are critical. The first is a password-bound keyword pair: VPN portals, OWA, Citrix, SaaS. The second is cookies with valid sessions to cloud services (M365, Google Workspace, Slack) allowing you to bypass MFA via hijacking session. The third is hostname and the list of installed software. This is a ready-made fingerprinting target host, which on a pentest usually takes hours of separate work. And here - everything is already collected and laid out in the folders.
Initial Access Brokers and credential stuffing attacks: stealer logs on dark web
Between the collection of credentials style and account takeover (ATO) or ransomware-individual, the intermediary chain is optimized for speed.
Wholesale of stealer logs. The stylryantian operator unloads logs on marketplaces (English Market and analogues) or in Telegram channels. The cost of one log is about $10. "Raw" data sets are sold in bulk from $ 50, according to Kaspersky Digital Footprint Intelligence. Genesis Market before the liquidation of the Operation Cookie Monster (April 2023, FBI/Europol) offered access to about 80 million credentials with about 2 million bots.
Sorting and validation. Specialized groups buy logos in bulk and check the relevance. According to Push Security, less than 1% of stolen credentials from multi-vendor TI-Feders are suitable for use - the rest are outdated or dropped. But with an amount of 1.8 billion even 1%, it is 18 million working pairs. Enough.
Initial Access Broker (IAB). Proven access to corporate networks via RDP, VPN, Citrix is sold separately. The average price of standard access is $ 500-1 000, a package with admin privileges is about $2 700 IAB does not operate access themselves - resell ransomware-operators, APT-groups, BEC-fraudellers. Access broker underground market in its pure form, with its specialization and reputation system.
Credential stuffing (T11100.004, Credential Access) - automated check of stolen logins / password on many services. According to Push Security, 1 out of 3 employees reuses passwords, and 9% of identifiers have a repeatable password without MFA. One leak turns into a compromise of a dozen accounts. OWASP A07:2021 (Identification and Authentication Failures) pinister credential stuffing and password spraying as critical risks to web applications.
An example of the scale is the Nobitex crypto exchange. According to OSIBeond, the computers of the two employees were infected with StealC and RedLine months before the attack. The stylists quietly collected admin passwords, logins for webmail and project management systems. Through stolen access, the attackers penetrated into internal systems and pulled $81.7 million from hot wallets. Two infected laptops - 81 million.
A typical chain reproduced on the pentests and recorded in real incidents.
[Applicable to: internal pentest, grey box (outdated low-privcedentials) and black box; modern-infrastructure with Active Directory]
1. Initial Access - Valid Accounts (T1078) The attacker uses credentials from a style log to enter a corporate VPN or RDP. Without MFA - access is instant. With MFA, but in the presence of a session cookie (T1539) - MFA is cost. Change Healthcare Incident (February 2024): stolen credentials to Citrix without MFA led to the theft of data of more than 100 million patients (according to the UG, October 2024), the declared volume of 6 TB (statement of ALPHV/BlackCat, not confirmed by the victim), the damage of $ 872 million (Of. Q1 2024 report) and the payment of $2 million. One pair of logins/password - $872 million of damage.
2. Host Recon. whoami /all, systeminfo, tasklist - define privileges, version of the OS and the running processes of EDR-agents. In the grey box scripts (with low-privcrementials), this step critically affects the choice of vector: see SeDebugPrivilege -> we go to LSASS Memory; no privileges -> Kerberoasting or searching for misconfigure services.
3. Credential Dumping - LSASS Memory (T1003.001, Credential Access) Extraction of NTLM hashes and Kerberos-tickets from the memory lass.exe.
Evasion-context by vendor:
When the technique is NOT working: Credential Guard (Windows 10/11 Enterprise, Server 2016+) places NTLM hashes in an isolated LSA Isolated process - LSASS dump is useless. Alternatives: DCSync (if there are rights to replication), Kerberoasting (does not require privileges), DPAPI abuse to extract stored passwords. In practice, the Credential Guard is less common than we would like - many have not even included it even on Server 2019+.
4. Lateral Movement - Pass the Hash (T1550.002, Defense Evasion / Lateral Movement) NTLM hashes of step 3 are used for authentication on adjacent hosts. crackmapexec smb 10.0.0.0/24 -u admin -H <hash> for mass inspection, impacket-wmiexec to receive shell without a CD.
Restrictions: PtH works exclusively with NTLM-authentiation. In environments with forced Kerberos (AES-only, GPO "Network security: Restrict Restrict NTLM: NTLM authentication in this domain -> Deny ally") is inapplicable. CrowdStrike Falcon Identity Protection and Microsoft Defender for Identity generate an alterth to the PTH during the LogonType 3 + NtlmSsp detection without a previous event 4648. But I saw the environment where these alergs drown in noise - no one is watching.
5. Persistence - Golden Ticket (T1558.001, Credential Access) With the compromise of krbtgt (via DCSync with Domain Admins / Replicating Directory Changes), the attacker creates a fake Kerberos THCT with an arbitrary validity period. The fake TGT remains valid until a double reset of the password krbtgt (one reset does not invalidate the ticket, because. KDC stores current and keys). Two drops, more than one - this is regularly forgotten when reacting.
The entire chain in the absence of adequate monitoring takes 2-4 hours. In the case of Muddled Libra (Unit 42) - 40 minutes, with initial access through social engineering help desk instead of stealer logs.
Nation-state credential theft vs commodity: where the border passes
At the level of the technician (T1078, T1003.001, T1550.002) commodity and nation-state are often indistinguishable. Differences are manifested in OPSEC, timeline and goals.
Commodity (ransomware crews, BEC-groups):
• Source credentials: mass steal logs, public leaks (Exploit.In - 593 million records, LinkedIn - 164 million, according to Have I Been Pwned)
• Timeline: watches - days from initial access to impact
• OPSEC: minimum; noisy instruments, Cobalt Strike with default profiles
• Purpose: money - ransomware, data extortion, BEC
Nation-state (APT29, Iranian bands, DPRK):
• Source credentials: targeted phishing, supply chain, and stealer logs for quiet access to diplomatic mail
• Timeline: weeks - months, slow promotion
• OPSEC: high; living-off-the-land, legitimate RMM for C2, tunneling services
• Purpose: Espionage, Strategic Access
Case: Microsoft, January 2024. APT29 held a password spraying against the unproductive tenant Microsoft without an MFA. Through the compromised test OAuth-approbet application with increased privileges, she gained access to the employee email. According to Push Security, the attack continued during 2024 with a significant increase in the intensity of spraying and allegedly affected many external organizations (the exact scale is not verified independently). Microsoft. Test tenant without MFA. You read and you don't believe it.
Case: Snowflake, April-June 2024. 165 organizations are compromised through credentials from styler logs dating back to 2020. No injured account used MFA. According to Vectra, six families of infosilers are involved. The boundary between the commodity and the APT here is blurred: commodity (stealer logs with a marketplace), coordination is the level of an organized group.
According to CrowdStrike, China-nexus adversaries’ activity grew by 150% in 2024, and GenaI’s malicious use for social engineering has doubled – both trends directly fuel credential exposure and compromise accounts.
Detection: specific rules for SIEM against credential-based attacks
4. Session cookie replay (T1539) Monitoring impossible travel: a new session at M365/Google Workspace with IP, geographically incompatible with the previous one behind short timeframe. Google Chrome is implementing Device Bound Session Credentials (DBSC) - binding to TPM, which makes replay impossible, but there is no mass deployment yet.
Limitation of all detectives. According to Unit 42, sectual-based attacks are not due to advanced techniques, but because organizations miss or incorrectly classify critical signals. Alert rate and low detection coverage are the main enablers. The average gap between infection with infosiler and detection is 4 days (Vectra). Four days. During this time, you can pass the entire kill chain twice. OWASP A09:2021 (Security Logging and Monitoring Failures) describes a situation in which the lack of adequate logging makes the detection of compromise of accounts impossible, regardless of the quality of the correlation rules.
