OS Credential Dumping (T1003)

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information. Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

Source: https://github.com/mitre/cti
Related Prelude attack chains
Release Date (Newest)
Search for chains, TTPs, themes, and text

Browse By:


  • All
  • Windows
  • Linux
  • Darwin
  • Global
  • Android




Can this host mitigate procedures used in LokiBot malware?


Emulates LokiBot Password Stealer's procedures for credential harvesting.
Conti Privilege Escalation and Persistence


Use PrintNightmare & ZeroLogon exploits to gain privileges and extract the krbtgt NTLM hash from a DC.