Cred theft AA24-057A
Engine-driven compliance rail for Credential theft → MFA fatigue → lateral movement (remote-user SaaS path) on the Defense (CMMC contractor) protect-surface layout. Step controls cycle through the engine's Trust-Failure chain; each step shows the in-scope provisions the failure implicates and, where a regulatory clock applies, the obligation diamond.
step 01 / 06
step 01TF2observedATT&CK T1110
stage 2
Adversary obtains password via brute force or password spraying against a remote-user SaaS login surface. AA24-057A: "SVR use password spraying and brute forcing as an initial infection vector."
mitigating controls
idpmfa-authenticatorca-pkikms-secretspam
in-scope provisions (6)
- partialPR.AA-01 — Identity Management, Authentication, and Access Control
- partialPR.AA-02 — Identity Management, Authentication, and Access Control
- partialPR.AA-03 — Identity Management, Authentication, and Access Control
- partialPR.AA-04 — Identity Management, Authentication, and Access Control
- partialPR.AA-05 — Identity Management, Authentication, and Access Control
- partialAccount Management
obligation
no regulatory clock for this step
- 01Initial Accessidentity-svcPhishing-resistant MFA is not enforced for every principal. A high-privilege identity yields its password to a phishing portal; the PE accepts the reused secret.
- 02DiscoverycrmThe compromised identity logs into Salesforce and pivots through field-level data, mapping the customer base and the privileged-user list for the next hop.
- 03Lateral Movementgoogle-workspaceThe same federated identity is replayed against Google Workspace. AA24-057A documents Midnight Blizzard’s SaaS-to-SaaS pivots via OAuth tokens granted under the assumed principal.
- 04Exfiltrationcustomer-piiCustomer PII is exported through legitimate SaaS APIs under the stolen identity — no anomaly fires because the access pattern is a valid-account one (T1078).