Matrix/Lateral Movement/T-5004

T-5004observedactive9 evidence records

Credential Reuse

Reuse harvested credentials to access additional services and agents

Tactic

Lateral Movement (Stage 5)

Pivot from compromised agent to connected services or other agents

Attack Class

RETROACTIVE-PRIV

Exploiting previously granted access or cached credentials to gain unauthorized capabilities

Evidence

observed

Confirmed in real-world production systems or internet-wide exposure assessments.

DVAA Validation

Reproductions in Damn Vulnerable AI Agent, the OpenA2A intentionally-broken agent for kill-chain validation.

credential reuse

Honeypot Coverage (AgentPwn)

Out of scope

Not observable via content-side honeypot interaction. HackMyAgent or DVAA cover this where applicable.

Requires cross-system credential context that AgentPwn does not simulate.

Evidence Source Breakdown

HMA

9 records

Evidence Timeline

HMA

HMA check CRED-001 failed on cred-test

May 12, 2026

HMA

HMA check CRED-001 failed on cred-test

May 11, 2026

HMA

HMA check CRED-001 failed on cred-test

Apr 30, 2026

HMA

HMA check CRED-001 failed on soc-demo

Apr 30, 2026

HMA

HMA check CRED-001 failed on opena2a-cli

Apr 29, 2026

HMA

HMA check CRED-001 failed on cred-test

Apr 29, 2026

HMA

HMA check CRED-001 failed on cred-test

Apr 28, 2026

HMA

HMA check CRED-001 failed on cred-test

Apr 27, 2026

HMA

HMA check CRED-001 failed on cred-test

Apr 22, 2026

Detection (HackMyAgent)

Live1 live · 0 queued

CRED-001

npx hackmyagent secure --ciLive = check implemented in hackmyagent; queued = declared, not yet implemented

Defense (OASB Controls)

Live9 live · 0 queued

OASB 10.1 OASB 10.2 OASB 10.3 OASB 10.4 OASB 10.5 OASB 7.1 OASB 7.2 OASB 7.3 OASB 7.4

Live = documented at oasb.ai; queued = declared, not yet documented

How to Cite

AI Agent Threat Matrix T-5004 (Credential Reuse). OpenA2A, 2026. https://threats.opena2a.org/techniques/T-5004

← Back to Matrix