T1003 OS Credential Dumping Mappings

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.

Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1003 OS Credential Dumping
AC-2 Account Management Protects T1003 OS Credential Dumping
AC-3 Access Enforcement Protects T1003 OS Credential Dumping
AC-4 Information Flow Enforcement Protects T1003 OS Credential Dumping
AC-5 Separation of Duties Protects T1003 OS Credential Dumping
AC-6 Least Privilege Protects T1003 OS Credential Dumping
CA-7 Continuous Monitoring Protects T1003 OS Credential Dumping
CM-2 Baseline Configuration Protects T1003 OS Credential Dumping
CM-5 Access Restrictions for Change Protects T1003 OS Credential Dumping
CM-6 Configuration Settings Protects T1003 OS Credential Dumping
CM-7 Least Functionality Protects T1003 OS Credential Dumping
CP-9 System Backup Protects T1003 OS Credential Dumping
IA-2 Identification and Authentication (organizational Users) Protects T1003 OS Credential Dumping
IA-4 Identifier Management Protects T1003 OS Credential Dumping
IA-5 Authenticator Management Protects T1003 OS Credential Dumping
SC-28 Protection of Information at Rest Protects T1003 OS Credential Dumping
SC-39 Process Isolation Protects T1003 OS Credential Dumping
SI-12 Information Management and Retention Protects T1003 OS Credential Dumping
SI-3 Malicious Code Protection Protects T1003 OS Credential Dumping
SI-4 System Monitoring Protects T1003 OS Credential Dumping
SI-7 Software, Firmware, and Information Integrity Protects T1003 OS Credential Dumping
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1003 OS Credential Dumping
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration technique_scores T1003 OS Credential Dumping
azure_sentinel Azure Sentinel technique_scores T1003 OS Credential Dumping
microsoft_defender_for_identity Microsoft Defender for Identity technique_scores T1003 OS Credential Dumping
file_integrity_monitoring File Integrity Monitoring technique_scores T1003 OS Credential Dumping
azure_defender_for_app_service Azure Defender for App Service technique_scores T1003 OS Credential Dumping

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1003.008 /etc/passwd and /etc/shadow 15
T1003.005 Cached Domain Credentials 17
T1003.006 DCSync 17
T1003.004 LSA Secrets 15
T1003.001 LSASS Memory 19
T1003.003 NTDS 19
T1003.007 Proc Filesystem 14
T1003.002 Security Account Manager 15