T1003 OS Credential Dumping Mappings

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.

Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1003 OS Credential Dumping
AC-2 Account Management Protects T1003 OS Credential Dumping
AC-3 Access Enforcement Protects T1003 OS Credential Dumping
AC-4 Information Flow Enforcement Protects T1003 OS Credential Dumping
AC-5 Separation of Duties Protects T1003 OS Credential Dumping
AC-6 Least Privilege Protects T1003 OS Credential Dumping
CA-7 Continuous Monitoring Protects T1003 OS Credential Dumping
CM-2 Baseline Configuration Protects T1003 OS Credential Dumping
CM-5 Access Restrictions for Change Protects T1003 OS Credential Dumping
CM-6 Configuration Settings Protects T1003 OS Credential Dumping
CM-7 Least Functionality Protects T1003 OS Credential Dumping
CP-9 System Backup Protects T1003 OS Credential Dumping
IA-2 Identification and Authentication (organizational Users) Protects T1003 OS Credential Dumping
IA-4 Identifier Management Protects T1003 OS Credential Dumping
IA-5 Authenticator Management Protects T1003 OS Credential Dumping
SC-28 Protection of Information at Rest Protects T1003 OS Credential Dumping
SC-39 Process Isolation Protects T1003 OS Credential Dumping
SI-12 Information Management and Retention Protects T1003 OS Credential Dumping
SI-2 Flaw Remediation Protects T1003 OS Credential Dumping
SI-3 Malicious Code Protection Protects T1003 OS Credential Dumping
SI-4 System Monitoring Protects T1003 OS Credential Dumping
SI-7 Software, Firmware, and Information Integrity Protects T1003 OS Credential Dumping
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003 OS Credential Dumping
attribute.confidentiality.data_disclosure related-to T1003 OS Credential Dumping

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1003.002 Security Account Manager 19
T1003.004 LSA Secrets 17
T1003.007 Proc Filesystem 17
T1003.001 LSASS Memory 22
T1003.005 Cached Domain Credentials 21
T1003.008 /etc/passwd and /etc/shadow 17
T1003.003 NTDS 21
T1003.006 DCSync 20