Anatomy of a Credential Attack
Understanding how attackers discover and exploit leaked credentials helps security teams build better defenses. This document walks through the typical stages of a credential-based attack.
Stage 1: Discovery
Attackers use multiple methods to find exposed credentials. The most common approaches include:
Automated Scanning
Sophisticated tools continuously scan public sources for credential patterns:
- GitHub and GitLab — Scanning public repositories, commits, gists, and issues
- Paste sites — Monitoring Pastebin, GitHub Gists, and similar platforms
- Search engines — Using Google dorks to find exposed configuration files
- Dark web — Monitoring breach databases and underground forums
- Cloud storage — Scanning for misconfigured S3 buckets and blob containers
These scanners run 24/7 and can detect new exposures within minutes of them appearing online.
Manual Research
Targeted attackers also perform manual reconnaissance:
- Reviewing a company's public repositories for secrets in commit history
- Searching for the company name combined with terms like "password," "api_key," or "secret"
- Analyzing job postings and documentation for technology stack hints
- Social engineering employees to reveal credential information
Stage 2: Validation
Once potential credentials are discovered, attackers validate whether they're still active:
Automated Testing
For common services, attackers use automated tools to test credentials:
# Example: Testing AWS credentials
aws sts get-caller-identity --access-key-id AKIA... --secret-access-key ...
# Example: Testing GitHub token
curl -H "Authorization: token ghp_..." https://api.github.com/user
Careful Probing
Sophisticated attackers test credentials carefully to avoid detection:
- Using residential proxies to avoid IP-based blocking
- Testing during business hours to blend with normal traffic
- Making minimal API calls to avoid rate limiting alerts
- Using the credential's expected geographic location
Validation Services
Underground services exist specifically to validate stolen credentials at scale, testing thousands of credentials against multiple services simultaneously.
Stage 3: Initial Access
With validated credentials, attackers establish their foothold:
Direct Service Access
The simplest path—using the credential for its intended purpose:
- Logging into cloud consoles (AWS, Azure, GCP)
- Accessing databases directly
- Authenticating to APIs
- Connecting via SSH or RDP
Privilege Discovery
Attackers immediately assess what the credential provides access to:
- Enumerating permissions and roles
- Listing accessible resources
- Identifying connected systems
- Mapping the internal network topology
Avoiding Detection
Initial access is designed to look legitimate:
- Using the same user agents as legitimate applications
- Accessing systems during normal business hours
- Avoiding bulk data downloads initially
- Not modifying configurations or creating new accounts yet
Stage 4: Lateral Movement
Credentials for one system often unlock access to others:
Credential Harvesting
Attackers look for additional credentials within accessed systems:
- Environment variables and configuration files
- Database connection strings
- Secrets in application code
- Cached credentials in memory
- Password managers and key stores
Trust Relationships
Systems often trust each other, enabling lateral movement:
- Service accounts with cross-system access
- Shared credentials between environments
- SSO tokens that work across applications
- API keys with broad permissions
Privilege Escalation
Moving from limited access to administrative control:
- Finding admin credentials in accessible systems
- Exploiting misconfigurations in IAM policies
- Using service account permissions to create new admin accounts
- Leveraging cloud metadata services for additional credentials
Stage 5: Persistence
Attackers establish multiple ways to maintain access:
Backup Access Methods
- Creating new user accounts
- Adding SSH keys to authorized_keys
- Deploying web shells or backdoors
- Setting up reverse tunnels
Credential Modification
- Changing passwords on compromised accounts
- Generating new API keys
- Creating service accounts
- Adding MFA devices they control
Infrastructure Implants
- Deploying cryptocurrency miners (noisy but profitable)
- Installing remote access tools
- Modifying startup scripts
- Creating scheduled tasks or cron jobs
Stage 6: Objective Execution
The final stage depends on attacker motivation:
Data Theft
- Exfiltrating customer databases
- Stealing intellectual property
- Harvesting credentials for other attacks
- Copying financial records
Ransomware
- Encrypting production databases
- Locking out legitimate administrators
- Demanding payment for decryption keys
- Threatening to publish stolen data
Resource Abuse
- Cryptocurrency mining on your infrastructure
- Using your systems for further attacks
- Sending spam through your email systems
- Hosting malicious content
Sabotage
- Deleting critical data
- Corrupting databases
- Taking systems offline
- Damaging reputation through defacement
Timeline of a Real Attack
Here's how quickly a credential attack can unfold:
| Time | Event |
|---|---|
| T+0 | Developer accidentally commits AWS keys to public GitHub repo |
| T+3 min | Automated scanner detects the exposed credentials |
| T+5 min | Credentials validated against AWS API |
| T+8 min | Attacker enumerates accessible resources |
| T+15 min | Additional credentials found in S3 bucket |
| T+30 min | Lateral movement to production database |
| T+45 min | Data exfiltration begins |
| T+2 hours | Cryptocurrency miners deployed across infrastructure |
| T+4 hours | Security team notices unusual activity |
| T+6 hours | Incident response begins |
The entire attack chain from exposure to significant damage took less than an hour.
Breaking the Kill Chain
Understanding this attack flow reveals multiple intervention points:
- Prevent exposure — Secret scanning in CI/CD, developer training
- Detect exposure — Continuous external monitoring for leaked credentials
- Rapid response — Automated alerts and credential rotation
- Limit blast radius — Least privilege, network segmentation
- Detect abuse — Anomaly detection, access logging
- Prevent persistence — Regular access reviews, infrastructure monitoring
The most effective intervention is detecting and rotating credentials before attackers can exploit them.
Key Takeaways
- Credential attacks move fast—minutes, not days
- Attackers have sophisticated, automated tooling
- One credential often leads to many more
- Detection and rapid response are critical
- Understanding attacker methods helps build better defenses
The best defense is finding your exposed credentials before attackers do.