APT-SNOWFLAKE-2024Credential Access

Snowflake Stolen-Credential Mass Theft (2024)

Customer Snowflake tenants without enforced MFA / no IP allow-list — infostealer logs gave attackers credentials, leading to multi-tenant mass exfil (UNC5537).

§ Where this technique fits

APT-SNOWFLAKE-2024 is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

Stolen credentials → no-MFA Snowflake → mass tenant exfil (2024)
Infostealer logs from third-party machines yielded credentials for many Snowflake tenants. Tenants without enforced MFA / IP allow-lists were directly queried; dozens of customer data sets exfiltrated.
step 3 / 6

§ What commonly comes next

01
Account Discovery
T1087 · Discovery
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Stolen credentials → no-MFA Snowflake → mass tenant exfil (2024)

§ What commonly comes next