T1003Techniquecredential-accessagent-callable

T1003OS Credential Dumping

Platforms: Windows · Linux · macOS

ATT&CK version: 14.1

What it is

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information. Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

ATT&CK tactics· 1

Credential Access

References

  1. https://attack.mitre.org/techniques/T1003
  2. https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
  3. https://github.com/mattifestation/PowerSploit
  4. https://msdn.microsoft.com/library/cc228086.aspx
  5. https://msdn.microsoft.com/library/dd207691.aspx
  6. https://wiki.samba.org/index.php/DRSUAPI
  7. http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
  8. https://msdn.microsoft.com/library/cc237008.aspx
  9. https://msdn.microsoft.com/library/cc245496.aspx
  10. https://adsecurity.org/?p=1729
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.