T1003

Linux macOS Windows
OS Credential Dumping

Description

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.

Credentials can then be used to perform Lateral Movement and access restricted information. Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers.

Additional custom tools likely exist as well.

Sub-techniques

T1003.001 — LSASS Memory T1003.002 — Security Account Manager T1003.003 — NTDS T1003.004 — LSA Secrets T1003.005 — Cached Domain Credentials T1003.006 — DCSync T1003.007 — Proc Filesystem T1003.008 — /etc/passwd and /etc/shadow