Description
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform Lateral Movement and access restricted information.
Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
Mimikatz Tutorial
Read our in-depth pentesting guide related to this technique
Platforms
Sub-Techniques (8)
LSASS Memory
T1003.002Security Account Manager
T1003.003NTDS
T1003.004LSA Secrets
T1003.005Cached Domain Credentials
T1003.006DCSync
T1003.007Proc Filesystem
T1003.008/etc/passwd and /etc/shadow
Mitigations (9)
Encrypt Sensitive InformationM1041
Ensure Domain Controller backups are properly secured.
Behavior Prevention on EndpointM1040
On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. (Citation: win10_asr)
Password PoliciesM1027
Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
User TrainingM1017
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.
Privileged Account ManagementM1026
Windows: Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.(Citation: Microsoft
Privileged Process IntegrityM1025
On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.(Citation: Microsoft LSA)
Credential Access ProtectionM1043
With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. (Citation: TechNet Credential Guard) It also does not protect against all forms of credential dumping. (Citation: GitHub SHB Credential
Active Directory ConfigurationM1015
Manage the access control list for “Replicating Directory Changes All” and other permissions associated with domain controller replication. (Citation: AdSecurity DCSync Sept 2015) (Citation: Microsoft Replication ACL) Consider adding users to the "Protected Users" Active Directory security group. This can help limit the caching of users' plaintext credentials.(Citation: Microsoft Protected Users
Operating System ConfigurationM1028
Consider disabling or restricting NTLM.(Citation: Microsoft Disable NTLM Nov 2012) Consider disabling WDigest authentication.(Citation: Microsoft WDigest Mit)
Threat Groups (13)
| ID | Group | Context |
|---|---|---|
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) gathers credential material from target systems, such as SSH keys, to facilitate access to victim ... |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used different versions of Mimikatz to obtain credentials.(Citation: BitDefender Chafer May 2020) |
| G0033 | Poseidon Group | [Poseidon Group](https://attack.mitre.org/groups/G0033) conducts credential dumping on victims, with a focus on obtaining credentials belonging to dom... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) utilized “Hdump” to dump credentials from memory.(Citation: Palo Alto Unit42 STATELY TAURUS TON... |
| G0131 | Tonto Team | [Tonto Team](https://attack.mitre.org/groups/G0131) has used a variety of credential dumping tools.(Citation: TrendMicro Tonto Team October 2020) |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) used GetPassword_x64 to harvest credentials.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybere... |
| G0039 | Suckfly | [Suckfly](https://attack.mitre.org/groups/G0039) used a signed credential-dumping tool to obtain victim account credentials.(Citation: Symantec Suckfl... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) used tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154) and [Mimikatz](https://... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) regularly deploys both publicly available (ex: [Mimikatz](https://attack.mitre.org/software/S0002)) and... |
| G0054 | Sowbug | [Sowbug](https://attack.mitre.org/groups/G0054) has used credential dumping tools.(Citation: Symantec Sowbug Nov 2017) |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has used the SecretsDump module within [Impacket](https://attack.mitre.org/software/S0357) can per... |
| G0001 | Axiom | [Axiom](https://attack.mitre.org/groups/G0001) has been known to dump credentials.(Citation: Novetta-Axiom) |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has used publicly available tools to dump password hashes, including [HOMEFRY](https://attack.mitre... |
Associated Software (7)
| ID | Name | Type | Context |
|---|---|---|---|
| S0030 | Carbanak | Malware | [Carbanak](https://attack.mitre.org/software/S0030) obtains Windows logon password details.(Citation: FireEye CARBANAK June 2017) |
| S1146 | MgBot | Malware | [MgBot](https://attack.mitre.org/software/S1146) includes modules for dumping and capturing credentials from process memory.(Citation: Symantec Dagger... |
| S0379 | Revenge RAT | Malware | [Revenge RAT](https://attack.mitre.org/software/S0379) has a plugin for credential harvesting.(Citation: Cylance Shaheen Nov 2018) |
| S0048 | PinchDuke | Malware | [PinchDuke](https://attack.mitre.org/software/S0048) steals credentials from compromised hosts. [PinchDuke](https://attack.mitre.org/software/S0048)'s... |
| S0052 | OnionDuke | Malware | [OnionDuke](https://attack.mitre.org/software/S0052) steals credentials from its victims.(Citation: F-Secure The Dukes) |
| S0232 | HOMEFRY | Malware | [HOMEFRY](https://attack.mitre.org/software/S0232) can perform credential dumping.(Citation: FireEye Periscope March 2018) |
| S0094 | Trojan.Karagany | Malware | [Trojan.Karagany](https://attack.mitre.org/software/S0094) can dump passwords and save them into <code>\ProgramData\Mail\MailAg\pwds.txt</code>.(Citat... |
Related CWE Weaknesses
References
- French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.
- Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.
- Microsoft. (2017, December 1). MS-DRSR Directory Replication Service (DRS) Remote Protocol. Retrieved December 4, 2017.
- Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol. Retrieved December 6, 2017.
- Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December 4, 2017.
- Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
- PowerSploit. (n.d.). Retrieved December 4, 2014.
- SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
- Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved December 4, 2017.
- Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing Mimikatz et al to UNIX. Retrieved October 13, 2021.
Frequently Asked Questions
What is T1003 (OS Credential Dumping)?
T1003 is a MITRE ATT&CK technique named 'OS Credential Dumping'. It belongs to the Credential Access tactic(s). Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory...
How can T1003 be detected?
Detection of T1003 (OS Credential Dumping) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1003?
There are 9 documented mitigations for T1003. Key mitigations include: Encrypt Sensitive Information, Behavior Prevention on Endpoint, Password Policies, User Training, Privileged Account Management.
Which threat groups use T1003?
Known threat groups using T1003 include: Ember Bear, APT39, Poseidon Group, Mustang Panda, Tonto Team, APT32, Suckfly, BlackByte.