T1003 OS Credential Dumping Mappings

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform Lateral Movement and access restricted information.

Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1003 OS Credential Dumping
CM-06 Configuration Settings mitigates T1003 OS Credential Dumping
CM-05 Access Restrictions for Change mitigates T1003 OS Credential Dumping
CM-07 Least Functionality mitigates T1003 OS Credential Dumping
CP-09 System Backup mitigates T1003 OS Credential Dumping
IA-02 Identification and Authentication (Organizational Users) mitigates T1003 OS Credential Dumping
IA-04 Identifier Management mitigates T1003 OS Credential Dumping
IA-05 Authenticator Management mitigates T1003 OS Credential Dumping
SC-28 Protection of Information at Rest mitigates T1003 OS Credential Dumping
SC-39 Process Isolation mitigates T1003 OS Credential Dumping
SI-12 Information Management and Retention mitigates T1003 OS Credential Dumping
SI-02 Flaw Remediation mitigates T1003 OS Credential Dumping
SI-07 Software, Firmware, and Information Integrity mitigates T1003 OS Credential Dumping
SI-03 Malicious Code Protection mitigates T1003 OS Credential Dumping
AC-16 Security and Privacy Attributes mitigates T1003 OS Credential Dumping
CM-02 Baseline Configuration mitigates T1003 OS Credential Dumping
SI-04 System Monitoring mitigates T1003 OS Credential Dumping
AC-02 Account Management mitigates T1003 OS Credential Dumping
AC-03 Access Enforcement mitigates T1003 OS Credential Dumping
AC-04 Information Flow Enforcement mitigates T1003 OS Credential Dumping
AC-05 Separation of Duties mitigates T1003 OS Credential Dumping
AC-06 Least Privilege mitigates T1003 OS Credential Dumping

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003 OS Credential Dumping
attribute.confidentiality.data_disclosure None related-to T1003 OS Credential Dumping

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1003 OS Credential Dumping
Comments
Google Security Operations is able to detect suspicious command-line process attempted to escalate privileges. Examples of credential access system events include: (e.g.,"re.regex($selection.target.registry.registry_value_data, `.*DumpCreds.*`) or re.regex($selection.target.registry.registry_value_data, `.*Mimikatz.*`) or re.regex($selection.target.registry.registry_value_data, `.*PWCrack.*`) or $selection.target.registry.registry_value_data = "HTool/WCE" or re.regex($selection.target.registry.registry_value_data, `.*PSWtool.*`) or re.regex($selection.target.registry.registry_value_data, `.*PWDump.*`)). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/antivirus/antivirus_password_dumper_detection.yaral
References

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
amazon_inspector Amazon Inspector technique_scores T1003 OS Credential Dumping
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal.
References

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1003.002 Security Account Manager 15
T1003.004 LSA Secrets 14
T1003.007 Proc Filesystem 15
T1003.001 LSASS Memory 20
T1003.005 Cached Domain Credentials 17
T1003.008 /etc/passwd and /etc/shadow 16
T1003.003 NTDS 19
T1003.006 DCSync 16