Home/ MITRE Matrix/ Credential Access/ T1212

T1212Exploitation for Credential Access

T1212 — Exploitation for Credential Access is a MITRE ATT&CK technique in the Credential Access tactic. Clankerusecase tracks 14 detection use cases covering it and 9 threat-intel articles citing it.

Credential Access

View on the matrix → Filter Detection Library MITRE official spec ↗

14Use cases

9Articles

0Sub-techniques

1Tactic

Use cases covering this technique (14)

Kubernetes Nginx Ingress LFI ESCU actions · alerting P Kubernetes Nginx Ingress RFI ESCU actions · alerting P Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script ESCU actions · alerting P [LLM] nebula-mesh CVE-2026-47724 — cross-tenant host identity hijack via /hosts/{id}/reenroll → /enroll chain Bespoke install · alerting SPDD [LLM] Claude Code Action Read tool exfil: node opens /proc/<pid>/environ on Linux CI runner Bespoke exploit · alerting DSΣPDDCS [LLM] Process reading /proc/<pid>/mem of GitHub Actions Runner.Worker (in-memory secret extraction) Bespoke actions · alerting DSΣPDDCS [LLM] praisonai-platform cross-tenant workspace operations from single source IP Bespoke actions · alerting DSPDD [LLM] Arcane GitOps: non-admin PUT on /api/customize/git-repositories/{id} followed by /test, /branches, or /files within 5 min (CVE-2026-45625 cr Bespoke actions · alerting SPDD [LLM] Strapi CVE-2026-27886 exploit — `where[admin-relation][private-field]` query parameter against public Content API Bespoke exploit · alerting SΣPDD [LLM] Strapi boolean-oracle hex-alphabet brute force from single source Bespoke exploit · alerting SPDD [LLM] Strapi CVE-2026-27886 admin takeover — exploit burst followed by `/admin/reset-password` POST Bespoke actions · alerting SPDD [LLM] SvelteKit Vercel __pathname cache deception exploit request (CVE-2026-27118) Bespoke exploit · alerting SΣPDD [LLM] Runner.Worker process memory dump via memdump.py on CI/CD runner (tj-actions credential theft) Bespoke actions · alerting DSΣPDDCS [LLM] Runner.Worker process memory dumped via /proc/PID/mem read on Linux runner Bespoke actions · alerting DSΣPDDCS

Articles citing this technique (9)

crit [GHSA / CRITICAL] CVE-2026-47724: nebula-mesh: API endpoints lack ownership checks, enabling cross-operator privilege escalation art-96

high Securing CI/CD in an agentic world: Claude Code Github action case art-117

high Multiple redhat-cloud-services npm Packages compromised art-144

crit [GHSA / CRITICAL] CVE-2026-47410: praisonai-platform: JWT signing key defaults to hardcoded "dev-secret-change-me", allowing token forgery f art-163

crit [GHSA / CRITICAL] CVE-2026-45625: Arcane Backend: Missing admin authorization on git repository endpoints allows non-admin users to exfiltra art-274

crit [GHSA / CRITICAL] CVE-2026-27886: Strapi may leak sensitive data via relational filtering due to lack of query sanitization art-305

crit SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel art-518

crit When 'Changed Files' Changed Everything: Our Black Hat 2025 Presentation on the tj-actions Supply Chain Breach art-815

crit Reconstructing the TJ Actions Changed Files GitHub Actions Compromise art-957