T1003: OS Credential Dumping
| View on MITRE ATT&CK | T1003 |
|---|---|
| Tactic(s) | Credential Access |
| Associated CAPEC Patterns | Collect Data from Common Resource Locations (CAPEC-150) |
Data from MITRE ATT&CK®:
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Reporting from Mandiant which discusses the exploitation of Pulse Secure VPN devices in 2021 and 12 malware families associated with the campaign. ...
Cloaked and Covert: Uncovering UNC3886 Espionage Operations
This article by researchers from Google's Mandiant outlines intrusion activity by UNC3886, a suspected China-nexus cyber espionage group. The ...
North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs
This cybersecurity advisory from the U.S. Federal Bureau of Investigation (FBI) and its partners, highlights the cyber espionage activities of the ...
Flax Typhoon using legitimate software to quietly access Taiwanese organizations
This blog post by Microsoft Threat Intelligence outlines the Flax Typhoon intrusion set and TTPs demonstrated by the group. It describes the actor ...
AA24-109A StopRansomware: Akira Ransomware
This is a joint #StopRansomware advisory issued by CISA and partners covering Akira ransomware attacks. According to the report, the group has ...
FamousSparrow: A suspicious hotel guest
This blog post by researchers from ESET describes the FamousSparrow APT group and associated custom backdoor 'SparrowDoor'. According to the post, ...
#StopRansomware: Play Ransomware
This is a Cybersecurity Advisory from CISA with US and international partners which outlines TTPs (tactics, techniques and procedures) and IoCs ...
GhostSec’s joint ransomware operation and evolution of their arsenal
This Threat Spotlight from Cisco Talos describes the evolution of GhostSec's ransomware operations including their work with the Stormous ...
Ransomware Spotlight: Black Basta
This report from Trend Micro outlines tactics, techniques and procedures used by the Black Basta Ransomware group. According to the report, Black ...
People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
This advisory from the US National Security Agency, CISA and various other agencies outlines tactics, techniques and procedures used by Volt ...
CACTUS Ransomware: Prickly New Variant Evades Detection
This report by Kroll outlines TTPs and IoCs associated with CACTUS ransomware actors.
Mitigations for this technique
MITRE ATT&CK Mitigations
Privileged Process Integrity
Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.Password Policies
Set and enforce secure password policies for accounts.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.Operating System Configuration
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.Active Directory Configuration
Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.Encrypt Sensitive Information
Protect sensitive information with strong encryption.Credential Access Protection
Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.How to detect this technique
MITRE ATT&CK Data Components
Network Traffic Content (Network Traffic)
Logged network traffic data showing both protocol header and body values (ex: PCAP)Active Directory Object Access (Active Directory)
Opening of an active directory object, typically to collect/read its value (ex: Windows EID 4661)OS API Execution (Process)
Operating system function/method calls executed by a processCommand Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Windows Registry Key Access (Windows Registry)
Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656)Process Access (Process)
Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)Network Traffic Flow (Network Traffic)
Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)File Access (File)
Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Dump Credential Manager using keymgr.dll and rundll32.exe
Credential Dumping with NPPSpy
Dump svchost.exe to gather RDP credentials
Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
Gsecdump
Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
Sigma Detections for this Technique
Potentially Suspicious ODBC Driver Registered
Suspicious Reg Add Open Command
OpenCanary - MSSQL Login Attempt Via SQLAuth
Hacktool Execution - PE Metadata
Hacktool Execution - Imphash
Potential Credential Dumping Via LSASS Process Clone
HackTool - Rubeus Execution - ScriptBlock
HackTool - Rubeus Execution
Interesting Service Enumeration Via Sc.EXE
Loaded Module Enumeration Via Tasklist.EXE
Shadow Copies Creation Using Operating Systems Utilities
Access To Browser Credential Files By Uncommon Application
Suspicious SYSTEM User Process Creation
OpenCanary - MySQL Login Attempt
Potential Credential Dumping Attempt Using New NetworkProvider - REG
WCE wceaux.dll Access
Esentutl Gather Credentials
OpenCanary - REDIS Action Command Attempt
Malicious Service Installations
Potential Invoke-Mimikatz PowerShell Script
Antivirus Password Dumper Detection
Potential Remote Credential Dumping Activity
Credential Manager Access By Uncommon Application
Capture Credentials with Rpcping.exe
Linux Keylogging with Pam.d
Potential Credential Dumping Attempt Using New NetworkProvider - CLI
Microsoft IIS Service Account Password Dumped
Live Memory Dump Using Powershell
Rare Subscription-level Operations In Azure
OpenCanary - MSSQL Login Attempt Via Windows Authentication
Microsoft IIS Connection Strings Decryption
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.