Credential Access
Details
| ID | PT0006 |
| MITRE ATT&CK ID | TA0006 |
| Created | 2026-06-22 |
| Last Modified | 2026-06-22 |
| Contributors | slashsec |
| Version Permalink | Link |
Description
The adversary is trying to steal or duplicate physical access credentials.
Credential Access consists of techniques for obtaining badges, keys, PINs, biometrics, or other tokens used to authenticate at doors and checkpoints. Captured credentials often enable Initial Access, Privilege Escalation, and Lateral Movement.
Techniques
| ID | Name | Description |
|---|---|---|
| P0014 | Steal Valid Credentials | Adversaries may steal physical access credentials from personnel, workspaces, or unsecured storage. Stolen badges, keys or PINs can be used immediately or retained for later entry, privilege escalation and lateral movement. |
| P0014.001 | Shoulder Surf PIN Entry | Adversaries may observe personnel entering PINs at doors, gates, or PIN pads to capture access codes without handling credentials directly. Shoulder surfing can occur in queues, at turnstiles, or by positioning near controlled entry points. |
| P0015 | Forge Key | Adversaries may create unauthorized copies of mechanical keys or obtain keys cut to match target locks. Forged keys enable entry without triggering electronic access logs when mechanical locks are used alone or as a fallback. |
| P0016 | Clone Badge | Adversaries may duplicate access badges or cards using captured credential data or physical specimens. Cloned badges can grant entry at readers that do not enforce additional verification or detect duplicate serial numbers. |
| P0016.001 | Skim Badge with Covert Reader | Adversaries may place covert reader hardware over or adjacent to legitimate access readers to capture badge data without the holder's knowledge. Covert readers may resemble the original reader face or hide in mounting gaps and can record credentials for later cloning. |
| P0016.002 | Capture Badge with Long-Range Reader | Adversaries may use long-range or portable RFID/NFC readers to capture badge data from personnel at distance, through clothing, or without interaction at a controlled door. |
| P0038 | Manipulate Electronic Access Control | Adversaries may tamper with electronic access hardware such as card readers, PIN pads, and electronic locks, or related wiring and controllers, to bypass, spoof, capture credentials, or hold access in an open state. Manipulated controls can enable initial entry, credential theft, movement between zones, or covert re-entry without valid credentials while appearing operational. |
| P0038.001 | Implant Covert Capture Device | Adversaries may install concealed hardware inside or behind card readers and PIN pads to intercept credential data passed to access controllers. Implants may sit inline on reader wiring or within the enclosure, capturing badge reads and PIN entry for later use while leaving the device outwardly functional. |