OS Credential Dumping (T1003)
Tactic: Credential Access · Platforms: Linux, macOS, Windows
The interactive view maps 1 detection strategy, 9 mitigations, 13 threat groups, 7 software entries to this technique, alongside D3FEND countermeasures and data-component coverage.
Overview
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures. Credentials can then be used to perform Lateral Movement and access restricted information.
Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
Sub-techniques
- LSASS Memory (T1003.001)
- Security Account Manager (T1003.002)
- NTDS (T1003.003)
- LSA Secrets (T1003.004)
- Cached Domain Credentials (T1003.005)
- DCSync (T1003.006)
- Proc Filesystem (T1003.007)
- /etc/passwd and /etc/shadow (T1003.008)