Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
View in MITRE ATT&CK®Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1003.008 | /etc/passwd and /etc/shadow | 15 |
T1003.005 | Cached Domain Credentials | 17 |
T1003.006 | DCSync | 17 |
T1003.004 | LSA Secrets | 15 |
T1003.001 | LSASS Memory | 19 |
T1003.003 | NTDS | 19 |
T1003.007 | Proc Filesystem | 14 |
T1003.002 | Security Account Manager | 15 |