MITRE ATT&CK Technique
Credential Access
T1003
Description
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information. Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
Supported Platforms
Linux
macOS
Windows
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:30:19.735Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may attempt to dump credentials to obtain account '
'login and credential material, normally in the form of a hash '
'or a clear text password. Credentials can be obtained from OS '
'caches, memory, or structures.(Citation: Brining MimiKatz to '
'Unix) Credentials can then be used to perform [Lateral '
'Movement](https://attack.mitre.org/tactics/TA0008) and access '
'restricted information.\n'
'\n'
'Several of the tools mentioned in associated sub-techniques '
'may be used by both adversaries and professional security '
'testers. Additional custom tools likely exist as well.\n',
'external_references': [{'external_id': 'T1003',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1003'},
{'description': 'French, D. (2018, October 2). '
'Detecting Attempts to Steal '
'Passwords from Memory. Retrieved '
'October 11, 2019.',
'source_name': 'Medium Detecting Attempts to Steal '
'Passwords from Memory',
'url': 'https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea'},
{'description': 'Metcalf, S. (2015, September 25). '
'Mimikatz DCSync Usage, Exploitation, '
'and Detection. Retrieved December 4, '
'2017.',
'source_name': 'AdSecurity DCSync Sept 2015',
'url': 'https://adsecurity.org/?p=1729'},
{'description': 'Microsoft. (2017, December 1). '
'MS-DRSR Directory Replication '
'Service (DRS) Remote Protocol. '
'Retrieved December 4, 2017.',
'source_name': 'Microsoft DRSR Dec 2017',
'url': 'https://msdn.microsoft.com/library/cc228086.aspx'},
{'description': 'Microsoft. (2017, December 1). '
'MS-NRPC - Netlogon Remote Protocol. '
'Retrieved December 6, 2017.',
'source_name': 'Microsoft NRPC Dec 2017',
'url': 'https://msdn.microsoft.com/library/cc237008.aspx'},
{'description': 'Microsoft. (n.d.). '
'IDL_DRSGetNCChanges (Opnum 3). '
'Retrieved December 4, 2017.',
'source_name': 'Microsoft GetNCCChanges',
'url': 'https://msdn.microsoft.com/library/dd207691.aspx'},
{'description': 'Microsoft. (n.d.). MS-SAMR Security '
'Account Manager (SAM) Remote '
'Protocol (Client-to-Server) - '
'Transport. Retrieved December 4, '
'2017.',
'source_name': 'Microsoft SAMR',
'url': 'https://msdn.microsoft.com/library/cc245496.aspx'},
{'description': 'PowerSploit. (n.d.). Retrieved '
'December 4, 2014.',
'source_name': 'Powersploit',
'url': 'https://github.com/mattifestation/PowerSploit'},
{'description': 'SambaWiki. (n.d.). DRSUAPI. '
'Retrieved December 4, 2017.',
'source_name': 'Samba DRSUAPI',
'url': 'https://wiki.samba.org/index.php/DRSUAPI'},
{'description': 'Schroeder, W. (2015, September 22). '
'Mimikatz and DCSync and ExtraSids, '
'Oh My. Retrieved December 4, 2017.',
'source_name': 'Harmj0y DCSync Sept 2015',
'url': 'http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/'},
{'description': 'Tim Wadhwa-Brown. (2018, November). '
'Where 2 worlds collide Bringing '
'Mimikatz et al to UNIX. Retrieved '
'October 13, 2021.',
'source_name': 'Brining MimiKatz to Unix',
'url': 'https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf'}],
'id': 'attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'credential-access'}],
'modified': '2025-10-24T17:48:22.201Z',
'name': 'OS Credential Dumping',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.3.0',
'x_mitre_contributors': ['Vincent Le Toux',
'Ed Williams, Trustwave, SpiderLabs',
'Tim (Wadhwa-)Brown',
'Yves Yonan'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
'x_mitre_version': '2.2'}