title: Exploitation for Credential Access (T1212)
id: df00tech-t1212
status: experimental
description: "Adversaries may exploit software vulnerabilities in authentication systems, operating system components, or cloud infrastructure to collect credentials or obtain authenticated access without valid credentials. Exploitation targets include Kerberos protocol implementations (e.g., MS14-068 allowing domain user accounts to forge PAC data in TGTs and gain domain admin-equivalent access), authentication token validation weaknesses enabling replay attacks where intercepted tokens are reused, and cloud identity provider flaws permitting unauthorized token creation or renewal (e.g., Storm-0558 exploiting a Microsoft consumer signing key to forge Azure AD access tokens). Unlike credential dumping or brute force, exploitation techniques may yield highly privileged or long-lived credential material with fewer authentication failure artifacts. Successful exploitation may also result in privilege escalation depending on the targeted process or credentials obtained."
references:
  - https://attack.mitre.org/techniques/T1212/
  - https://df00tech.com/detections/T1212
author: df00tech
date: 2026/04/19
tags:
  - attack.t1212
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legacy applications or domain-joined systems configured to only support RC4 Kerberos encryption that legitimately request krbtgt TGS tickets with TicketEncryptionType 0x17
  - "Environments with mixed encryption policy (GPO: Network security: Configure encryption types allowed for Kerberos) where RC4 is explicitly permitted for compatibility with older systems"
  - "Authorized penetration testing or red team exercises using Kerberoasting, Mimikatz, or MS14-068 proof-of-concept tools — correlate with change management tickets and known testing windows"
  - "Monitoring, backup, or ITSM agents making frequent Kerberos service ticket requests that may trigger the pre-authentication failure sweep threshold"
  - "Domain controller promotion, demotion, or inter-site replication operations that trigger EventID 4672 with elevated privileges on DC accounts"
level: critical