Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform Lateral Movement and access restricted information.
Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PR.PS-01.01 | Configuration baselines | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
PR.PS-01.02 | Least functionality | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
DE.CM-09.01 | Software and data integrity checking | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement protects against OS Credential Dumping through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
References
|
DE.CM-06.02 | Third-party access monitoring | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement protects against OS Credential Dumping through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
PR.PS-01.03 | Configuration deviation | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement provides protection from OS Credential Dumping through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
References
|
PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement protects against OS Credential Dumping through the use of revocation of keys and key management. Employing key protection strategies for key material used in protection of OS credential backups, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to obtain credentials from OS credential backups.
References
|
ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
PR.AA-01.02 | Physical and logical access | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
PR.AA-03.01 | Authentication requirements | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
ID.AM-08.05 | Data destruction procedures | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
PR.AA-01.01 | Identity and credential management | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement protects against OS Credential Dumping through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CVE-2019-13608 | Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability | secondary_impact | T1003 | OS Credential Dumping |
Comments
CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information.
References
|
CVE-2021-22893 | Ivanti Pulse Connect Secure Use-After-Free Vulnerability | secondary_impact | T1003 | OS Credential Dumping |
Comments
This vulnerability is exploited through an authentication bypass weakness in the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure. Remote attackers leverage this vulnerability to perform remote arbitrary code execution on the Pulse Connect Secure gateway by bypassing authentication controls. The threat actor group UNC2630 has utilized this flaw to harvest login credentials, allowing them to move laterally within affected environments.
References
|
CVE-2025-21335 | Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability | primary_impact | T1003 | OS Credential Dumping |
Comments
This vulnerability, if exploited, would allow an adversary to obtain SYSTEM-level privileges, resulting in total system compromise.
References
|
CVE-2025-21334 | Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability | primary_impact | T1003 | OS Credential Dumping |
Comments
This vulnerability, if exploited, would allow an adversary to obtain SYSTEM-level privileges, resulting in total system compromise.
References
|
CVE-2025-32709 | Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability | primary_impact | T1003 | OS Credential Dumping |
Comments
This use-after-free vulnerability in Windows has been exploited by attackers to gain SYSTEM-level privileges, leading to remote code execution, full system compromise, the modification of system processes to establish persistence on the machine, and the deployment of malware such as credential harvesters and ransomware.
References
|
CVE-2023-28252 | Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability | secondary_impact | T1003 | OS Credential Dumping |
Comments
This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain full SYSTEM level privileges.
This CVE has been leveraged in the wild by Storm-0506 involved deploying Black Basta ransomware, initiated through a Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz for credential theft and lateral movement, eventually creating an "ESX Admins" group to encrypt the ESXi file system and disrupt hosted VMs.
Based on the described exploitation of CVE-2023-28252 and the associated attack activities, the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could be linked to this CVE:
References
|
CVE-2024-4577 | PHP-CGI OS Command Injection Vulnerability | secondary_impact | T1003 | OS Credential Dumping |
Comments
CVE-2024-4577 is a PHP argument injection vulnerability that allows an adversary to execute arbitrary php commands. Threat actors have been observed utilizing Cobalt Strike and the TaoWu toolkit for post-exploitation activities, such as conducting reconnaisance, establishing persistence, escalating privileges to SYSTEM level, and harvesting credentials.
References
|
CVE-2025-21333 | Microsoft Windows Hyper-V NT Kernel Integration VSP Heap-based Buffer Overflow Vulnerability | primary_impact | T1003 | OS Credential Dumping |
Comments
This vulnerability, if exploited, would allow an adversary to obtain SYSTEM-level privileges, resulting in total system compromise.
References
|
CVE-2025-0282 | Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability | primary_impact | T1003 | OS Credential Dumping |
Comments
This vulnerability in Ivanti products is version-specific, requiring any reconaissance efforts to return the exact version before exploiting. If exploited, attackers may gain the ability to execute arbitrary code and harvest credentials from the compromised device. Additionally, they may perform internal reconaissance to find additional devices on the network to compromise.
References
|
CVE-2025-32756 | Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability | secondary_impact | T1003 | OS Credential Dumping |
Comments
Attackers use a Python script (publicly available or custom) to send a malformed POST request, triggering a buffer overflow. From there, they execute remote code and malicious payloads (i.e. malware), harvest credentials, move laterally over the network by scanning for other devices, erase logs to avoid detection, and exfiltrate data over C2.
References
|
CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability | secondary_impact | T1003 | OS Credential Dumping |
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
|
CVE-2020-5902 | F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability | secondary_impact | T1003 | OS Credential Dumping |
Comments
CVE-2020-5902 is a RCE vulnerability in the Traffic Management User Interface (TMUI) that allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Utility (through the BIG-IP management port and/or self IPs) to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary Java code.The Traffic Management User Interface (TMUI)
References
|
CVE-2019-11634 | Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability | secondary_impact | T1003 | OS Credential Dumping |
Comments
CVE-2019-11634 is a remote code execution vulnerability for Citrix Workspace Application and Receiver for Windows
References
|
CVE-2019-0604 | Microsoft SharePoint Remote Code Execution Vulnerability | secondary_impact | T1003 | OS Credential Dumping |
Comments
CVE-2019-0604 is a vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to typically install webshell malware to vulnerable hosts.
References
|
CVE-2021-44515 | Zoho Desktop Central Authentication Bypass Vulnerability | secondary_impact | T1003 | OS Credential Dumping |
Comments
CVE-2021-44515 is an authentication bypass vulnerability. Post-exploit, APT actors were observed dropping a webshell, downloading post-exploitation tools, enumerating
domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.
References
|
CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | secondary_impact | T1003 | OS Credential Dumping |
Comments
This is an authentication bypass vulnerability that can enable remote code execution.
Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.
References
|
CVE-2024-57727 | SimpleHelp Path Traversal Vulnerability | primary_impact | T1003 | OS Credential Dumping |
Comments
Due to improper handling of HTTP request input, attackers can exploit a path traversal vulnerability in SimpleHelp version 5.5.7 and prior to gain access to critical user data stored in SimpleHelp, such as credentials. From there, with the credentials, they can further compromise the system, such as with code execution.
References
|
CVE-2024-48248 | NAKIVO Backup and Replication Absolute Path Traversal Vulnerability | secondary_impact | T1003 | OS Credential Dumping |
Comments
An unauthenticated attacker can send a request to the NAKIVO Backup & Replication endpoint that contains a path to a sensitive file, leading to arbitrary file read.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1003 | OS Credential Dumping | |
attribute.confidentiality.data_disclosure | None | related-to | T1003 | OS Credential Dumping |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
microsoft_sentinel | Microsoft Sentinel | technique_scores | T1003 | OS Credential Dumping |
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1003 | OS Credential Dumping |
Comments
Most credential dumping operations do not require modifying resources that can be detected by this control (i.e. Registry and File system) and therefore its coverage is minimal.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | technique_scores | T1003 | OS Credential Dumping |
Comments
This control is only relevant for Linux environments, and provides partial coverage for one of the technique's two Linux-relevant sub-techniques.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1003 | OS Credential Dumping |
Comments
This control provides detection for a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal. Furthermore, its detection capability relies on detecting the usage of specific tools (e.g. sqldumper.exe) further adversely impacting its score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1003 | OS Credential Dumping |
Comments
This control only addresses a minority of this technique's procedure examples and one of its sub-techniques resulting in an overall Minimal score.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
google_secops | Google Security Operations | technique_scores | T1003 | OS Credential Dumping |
Comments
Google Security Operations is able to detect suspicious command-line process attempted to escalate privileges. Examples of credential access system events include:
(e.g.,"re.regex($selection.target.registry.registry_value_data, `.*DumpCreds.*`) or re.regex($selection.target.registry.registry_value_data, `.*Mimikatz.*`) or re.regex($selection.target.registry.registry_value_data, `.*PWCrack.*`) or $selection.target.registry.registry_value_data = "HTool/WCE" or re.regex($selection.target.registry.registry_value_data, `.*PSWtool.*`) or re.regex($selection.target.registry.registry_value_data, `.*PWDump.*`)).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/antivirus/antivirus_password_dumper_detection.yaral
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
amazon_inspector | Amazon Inspector | technique_scores | T1003 | OS Credential Dumping |
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
DEF-ID-E5 | Microsoft Defender for Identity | Technique Scores | T1003 | OS Credential Dumping |
Comments
This control provides significant and partial detection for a few of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal coverage score.
References
|
DEF-SECA-E3 | Security Alerts | Technique Scores | T1003 | OS Credential Dumping |
Comments
Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.
Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:
Reconnaissance and discovery alerts
Persistence and privilege escalation alerts
Credential access alerts
Lateral movement alerts
Other alerts
License: A Microsoft 365 security product license entitles customer use
of Microsoft Defender XDR.
References
|
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1003.002 | Security Account Manager | 20 |
T1003.004 | LSA Secrets | 17 |
T1003.007 | Proc Filesystem | 18 |
T1003.001 | LSASS Memory | 35 |
T1003.005 | Cached Domain Credentials | 22 |
T1003.008 | /etc/passwd and /etc/shadow | 21 |
T1003.003 | NTDS | 29 |
T1003.006 | DCSync | 21 |