View on MITRE ATT&CK

T1003 - OS Credential Dumping

Tactics:
Credential Access
Platforms:
Linux macOS Windows
Detection:
Not specified
Description:
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.

Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
Sub-techniques (8)
ID ATT&CK Actions
T1003.001 LSASS Memory
T1003.002 Security Account Manager
T1003.003 NTDS
T1003.004 LSA Secrets
T1003.005 Cached Domain Credentials
T1003.006 DCSync
T1003.007 Proc Filesystem
T1003.008 /etc/passwd and /etc/shadow
Used by Actors (13)
APT28
Nation-state
Poseidon Group
Unknown
APT32
Nation-state
Tonto Team
Nation-state
Sowbug
Nation-state
MUSTANG PANDA
Nation-state
APT39
Unknown
Storm-0501
Unknown
Suckfly
Unknown
Ember Bear
Unknown
Leviathan
Unknown
BlackByte
Unknown
Axiom
Unknown
Malware (7)
Carbanak other HOMEFRY other Trojan.Karagany other MgBot other PinchDuke other OnionDuke other Revenge RAT other
Metadata
MITRE ID: T1003
STIX ID: attack-pattern--0a3ead4e-6d47-...
Platforms: Linux, macOS, Windows
Created: 13/01/2026 17:48
Updated: 06/03/2026 04:00