MITRE ATT&CK / T1003
T1003
OS Credential Dumping
Credential Access
Description
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
Platforms
LinuxmacOSWindows
Mitigations
- M1041 — Encrypt Sensitive Information
- M1040 — Behavior Prevention on Endpoint
- M1027 — Password Policies
- M1017 — User Training
- M1026 — Privileged Account Management
- M1025 — Privileged Process Integrity
- M1043 — Credential Access Protection
- M1015 — Active Directory Configuration
- M1028 — Operating System Configuration
Look up any technique
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Our coverage
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →