Attack Lifecycle · Stage 3 of 7

Stage 3: Credential Access

May 2026 · 8 min read · MITRE ATT&CK · Password Theft · Hash Dumping · Credential Harvesting

Stage 3 of the cyberattack lifecycle: Credential Access. The attacker steals credentials to move through the network as a legitimate user — making their activity nearly invisible to traditional security tools.

Stage 3: Credential Access - Purim NetGo

Overview S1 S2 S3 S4 S5 S6 S7

Attacker Goal

Obtain valid credentials to authenticate as legitimate users, enabling unrestricted movement through the network.

MITRE ATT&CK Techniques

T1003T1110T1555T1056T1539T1606

Stage Description

The attacker steals credentials to move through the network as a legitimate user — making their activity nearly invisible to traditional security tools.

Common Entry Vectors

Dumping password hashes from Windows memory
Credential stuffing using leaked password databases
Keylogging to capture credentials as they are typed
Browser password store extraction
Phishing for credentials via fake login pages

Typical Attacker Actions

Dumps LSASS memory to extract password hashes
Accesses stored credentials in browsers and applications
Installs keyloggers to capture credentials in real time
Searches configuration files for hardcoded passwords
Uses fake login pages to harvest credentials

✓ Purim NetGo Detection & Response

Canary credentials planted in high-value locations
Fake password files that alert when accessed or used
Honeypot login portals that capture attacker credentials
Alerts fire the moment canary credentials are used anywhere
Full intelligence on who used the credentials and from where

What Purim NetGo Delivers at This Stage

Credential Trap Detection — catch thieves at the moment of theft
Zero-Day Coverage — no signatures needed for detection
Instant Alerts — know within seconds when credentials are stolen
Attacker Intelligence — capture the thief's full profile
Proactive Defense — detect before credentials are weaponized

See It In Action

Get a real simulated attack alert sent to your inbox — experience deception security firsthand.

Launch Free Test Drive