Insider Threat Matrix™Insider Threat Matrix™
  • ID: PR041
  • Created: 06th July 2026
  • Updated: 06th July 2026
  • MITRE ATT&CK®: T1552T1552.001T1552.002T1552.003T1552.004T1552.005T1552.006T1552.007T1552.008T1003T1003.001T1003.002T1003.003T1003.004T1003.005T1003.006T1003.007T1003.008T1528T1555T1555.001T1555.002T1555.003T1555.004T1555.005T1555.006
  • Contributor: The ITM Team

Credential Collection

A subject collects, copies, retrieves, exports, records, or stages credentials, secrets, keys, certificates, tokens, or other authentication material in preparation for later access or misuse. This behavior may involve credentials assigned to the subject, credentials assigned to another individual, shared credentials, service account credentials, or authentication material discovered in exposed locations such as tickets, repositories, documentation, configuration files, scripts, password managers, or secrets vaults.

 

Credential collection becomes a preparatory concern when the subject’s handling of authentication material exceeds their legitimate operational need or indicates future use outside approved access processes. The behavior may include saving credentials to local files, screenshots, notes, spreadsheets, personal password managers, clipboard history, removable media, or other locations where they can be reused later.

 

This preparation may precede unauthorized access, internal credential sharing, privilege misuse, data collection, sabotage, or anti-forensic measures to mislead attribution.