Preparation
Account Creation
AI-Assisted Capability Development
Archive Data
Authorization Token Staging
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Credential Collection
Data Obfuscation
Data Staging
Delegated Preparation via Artificial Intelligence Agents
Device Mounting
Email Collection
External Media Formatting
File Download
File Exploration
Hardware-Based Remote Access (IP-KVM)
Impersonation
Increase Privileges
IT Ticketing System Exploration
Joiner
Media Capture via External Device
Mover
Network Scanning
Observational Information Gathering
On-Screen Data Collection
Oversight Circumvention and Control Degradation
Persistent Access via Bots
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Remote Desktop (RDP)
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installation of Dark Web-Capable Browsers
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
Testing Security Controls
VPN Usage
- ID: PR041
- Created: 06th July 2026
- Updated: 06th July 2026
- Contributor: The ITM Team
Credential Collection
A subject collects, copies, retrieves, exports, records, or stages credentials, secrets, keys, certificates, tokens, or other authentication material in preparation for later access or misuse. This behavior may involve credentials assigned to the subject, credentials assigned to another individual, shared credentials, service account credentials, or authentication material discovered in exposed locations such as tickets, repositories, documentation, configuration files, scripts, password managers, or secrets vaults.
Credential collection becomes a preparatory concern when the subject’s handling of authentication material exceeds their legitimate operational need or indicates future use outside approved access processes. The behavior may include saving credentials to local files, screenshots, notes, spreadsheets, personal password managers, clipboard history, removable media, or other locations where they can be reused later.
This preparation may precede unauthorized access, internal credential sharing, privilege misuse, data collection, sabotage, or anti-forensic account misuse. IF025 – Internal Credential Sharing describes the infringement involving unauthorized credential use between individuals, and AF024 – Account Misuse describes account-related behavior used to obscure identity, frustrate attribution, or hinder investigation.