Anatomy of a Privileged Credential Attack: Five Patterns That Keep Working
DataDike Security Research
PAM Research & Field Engineering
After enough incident-response engagements you stop being surprised. The patterns by which an attacker turns a foothold into domain-wide compromise repeat with depressing regularity, and a small set of PAM controls reliably break the chain. Here are the five we see most often.
Pattern 1: The flat workstation
The attacker phishes a domain user. The user is a local administrator on their own laptop — for "convenience" reasons that go back to a Windows XP migration nobody wants to undo. With local admin, the attacker dumps cached credentials with Mimikatz or its modern equivalents and finds the credential of a help-desk technician who logged in remotely the previous week. That credential has rights across the desktop estate. Within an hour the attacker is on every workstation in the building.
Mitre ATT&CK steps: T1078 (Valid Accounts) → T1003 (OS Credential Dumping) → T1021 (Remote Services).
PAM control that breaks the chain
Remove local admin from human accounts. Privileged tasks on the workstation happen via the PAM gateway, which spawns an elevated process under a dedicated account that is not cached. Mimikatz finds nothing useful.
Pattern 2: The forgotten service account
A service account named svc_backup was created in 2014 for a backup job. The job is long retired, but the account is still in Domain Admins because nobody wants to be the person who breaks backups. Its password is in a script on a file share that 200 people can read. The attacker finds the share, finds the script, and now they are Domain Admin.
Mitre ATT&CK steps: T1083 (File and Directory Discovery) → T1552.001 (Credentials in Files) → T1078.002 (Domain Accounts).
PAM control that breaks the chain
Vault every service-account credential and rotate it on a schedule. Scripts request the credential from the vault at runtime via a signed identity, so a copy of the script on a file share does not contain a working password.
Pattern 3: The lateral hop via RDP
The attacker has a foothold and the credential of a server administrator. They RDP from server to server, gathering more credentials at each hop until they reach the domain controller. There is no detection in the path because every RDP session is "expected" and the SOC is looking at the wrong logs.
Mitre ATT&CK steps: T1021.001 (Remote Services: RDP) → T1003 (OS Credential Dumping) → T1078 (Valid Accounts).
PAM control that breaks the chain
Block direct RDP between servers. Administrators connect through the PAM gateway, which proxies the RDP session. Every hop is logged, every command is captured, and credential dumping on an intermediate server is useless because the administrator never logged in to the intermediate — the gateway did.
Pattern 4: The leaked CI/CD secret
A developer commits a build secret to a public-by-accident repository. The secret is a long-lived API key with permission to deploy infrastructure. By the time the alert fires, the attacker has spun up a hundred crypto-miners on the corporate cloud account.
Mitre ATT&CK steps: T1552.001 (Credentials in Files) → T1078.004 (Cloud Accounts) → T1496 (Resource Hijacking).
PAM control that breaks the chain
Eliminate long-lived secrets from CI/CD. Pipelines authenticate to the vault using a short-lived workload identity (Kubernetes service account, GitHub OIDC, etc.) and receive ephemeral cloud credentials with a TTL measured in minutes. A leaked secret is useless within the time it takes to find it.
Pattern 5: The vendor with too much access
A third-party vendor — a managed service provider, a software supplier, a maintenance contractor — has a VPN account with broad access. The vendor is compromised. The attacker uses the vendor's VPN to walk in the front door of every customer the vendor serves.
Mitre ATT&CK steps: T1199 (Trusted Relationship) → T1133 (External Remote Services) → T1078 (Valid Accounts).
PAM control that breaks the chain
Vendor access goes through the PAM gateway, not a VPN. Sessions are recorded, time-bounded, and require per-session approval. The vendor cannot be on the network outside of an approved session window, and every action they take is auditable.
The pattern across patterns
Notice what is common: in all five chains, the attacker succeeds because a valid credential exists in a place they could find, at a moment they wanted to use it. PAM, done right, makes those three conditions almost impossible to satisfy simultaneously. The credential is in a vault, the credential changes faster than reconnaissance, and the moment of use is mediated by a gateway that does not care about the credential at all.
