1. Home
  2. ATT&CK Techniques
  3. T1003 OS Credential Dumping

T1003 OS Credential Dumping Mappings

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.

Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-16 Security and Privacy Attributes Protects T1003 OS Credential Dumping
AC-2 Account Management Protects T1003 OS Credential Dumping
AC-3 Access Enforcement Protects T1003 OS Credential Dumping
AC-4 Information Flow Enforcement Protects T1003 OS Credential Dumping
AC-5 Separation of Duties Protects T1003 OS Credential Dumping
AC-6 Least Privilege Protects T1003 OS Credential Dumping
CA-7 Continuous Monitoring Protects T1003 OS Credential Dumping
CM-2 Baseline Configuration Protects T1003 OS Credential Dumping
CM-5 Access Restrictions for Change Protects T1003 OS Credential Dumping
CM-6 Configuration Settings Protects T1003 OS Credential Dumping
CM-7 Least Functionality Protects T1003 OS Credential Dumping
CP-9 System Backup Protects T1003 OS Credential Dumping
IA-2 Identification and Authentication (organizational Users) Protects T1003 OS Credential Dumping
IA-4 Identifier Management Protects T1003 OS Credential Dumping
IA-5 Authenticator Management Protects T1003 OS Credential Dumping
SC-28 Protection of Information at Rest Protects T1003 OS Credential Dumping
SC-39 Process Isolation Protects T1003 OS Credential Dumping
SI-12 Information Management and Retention Protects T1003 OS Credential Dumping
SI-3 Malicious Code Protection Protects T1003 OS Credential Dumping
SI-4 System Monitoring Protects T1003 OS Credential Dumping
SI-7 Software, Firmware, and Information Integrity Protects T1003 OS Credential Dumping

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1003 OS Credential Dumping
Comments
This control provides detection for a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal. Furthermore, its detection capability relies on detecting the usage of specific tools (e.g. sqldumper.exe) further adversely impacting its score.
References
  1. https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction
  2. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration technique_scores T1003 OS Credential Dumping
Comments
This control is only relevant for Linux environments, and provides partial coverage for one of the technique's two Linux-relevant sub-techniques.
References
  1. https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction
  2. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux
azure_sentinel Azure Sentinel technique_scores T1003 OS Credential Dumping
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
  1. https://docs.microsoft.com/en-us/azure/sentinel/overview
  2. https://docs.microsoft.com/en-us/azure/sentinel/hunting
microsoft_defender_for_identity Microsoft Defender for Identity technique_scores T1003 OS Credential Dumping
Comments
This control provides significant and partial detection for a few of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal coverage score.
References
  1. https://docs.microsoft.com/en-us/defender-for-identity/what-is
file_integrity_monitoring File Integrity Monitoring technique_scores T1003 OS Credential Dumping
Comments
Most credential dumping operations do not require modifying resources that can be detected by this control (i.e. Registry and File system) and therefore its coverage is minimal.
References
  1. https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring
azure_defender_for_app_service Azure Defender for App Service technique_scores T1003 OS Credential Dumping
Comments
This control only addresses a minority of this technique's procedure examples and one of its sub-techniques resulting in an overall Minimal score.
References
  1. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference
  2. https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction
  3. https://azure.microsoft.com/en-us/services/app-service/
  4. https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1003.008 /etc/passwd and /etc/shadow 15
T1003.005 Cached Domain Credentials 17
T1003.006 DCSync 17
T1003.004 LSA Secrets 15
T1003.001 LSASS Memory 19
T1003.003 NTDS 19
T1003.007 Proc Filesystem 14
T1003.002 Security Account Manager 15