Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform Lateral Movement and access restricted information.
Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1003 | OS Credential Dumping | |
| attribute.confidentiality.data_disclosure | Confirmed or potential data disclosure | related-to | T1003 | OS Credential Dumping |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1003.008 | /etc/passwd and /etc/shadow | 1 |