From bf74c8fe863e34770d96bad07c04962bbc7d3943 Mon Sep 17 00:00:00 2001
From: Mike Salvatore <mike.s.salvatore@gmail.com>
Date: Tue, 16 Jul 2024 17:15:51 -0400
Subject: [PATCH] Docs: Expand the explanation of credentials collectors

---
 .../features/credentials_collectors/_index.md | 39 ++++++++++++++-----
 1 file changed, 30 insertions(+), 9 deletions(-)

diff --git a/docs/content/features/credentials_collectors/_index.md b/docs/content/features/credentials_collectors/_index.md
index 5c4b648741b..b274235595e 100644
--- a/docs/content/features/credentials_collectors/_index.md
+++ b/docs/content/features/credentials_collectors/_index.md
@@ -6,17 +6,38 @@ pre: "<i class='fas fa-key'></i> "
 
 # Credentials Collectors
 
-## <!-- we just need this here for formatting preferences done with CSS -->
+Credentials Collectors attempt to steal credentials from systems that the
+Infection Monkey Agent has infected.
 
-In real-world network attacks, malicious actors often adopt methods to extract
-credentials from compromised systems. Stolen credentials enable the attackers
-to further breach the environment in many ways including lateral movement,
-privilege escalation, data theft, and persistence.
+## Mimicking attackers
 
-Infection Monkey has multiple credentials collectors that steal credentials from
-compromised machines similarly. These credentials are used during exploitation
-for brute-forcing.
+In real-world network attacks, malicious actors often attempt to extract
+credentials from compromised systems. Stolen credentials enable attackers to
+penetrate deeper into the environment in many ways, such as lateral movement,
+privilege escalation, data theft, and persistence. To mimic this behavior,
+Infection Monkey has multiple plugins, called "credentials collectors", that
+steal credentials from compromised hosts.
 
-Infection Monkey provides the following credentials collectors:
+## How credentials collectors work
+
+When an Infection Monkey Agent is started, it begins the reconnaissance phase
+of its attack. The first step in this phase is to use all enabled credentials
+collectors to steal credentials. Any stolen credentials are then sent to the
+Monkey Island, where they become immediately available for any Agent to use.
+
+After the reconnaissance phase, the Agent will begin the propagation phase and
+attempt to compromise other hosts on the network. Exploiters are Infection
+Monkey plugins that attempt to spread copies of the Agent throughout the
+network. Some exploiters can use the credentials stolen by credentials
+collectors to gain access to other systems on the network. First, the exploiter
+will query the Monkey Island to retrieve credentials that were configured by
+the user and any credentials that were stolen by credentials collectors. Next,
+the exploiters will use the stolen credentials to attempt to authenticate with
+a target system. If authentication is successful, the exploiter will execute
+the Agent on the target system, spreading the infection throughout the network.
+
+## Techniques
+To read more about the techniques Infection Monkey can use to steal
+credentials, click the links below:
 
 {{% children /%}}