Esc
OS Credential Dumping - T1003
(ATT&CK® Technique)
Definition
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures. Credentials can then be used to perform Lateral Movement and access restricted information.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1003["OS Credential Dumping"] --> |accesses| EncryptedCredential["Encrypted Credential"]; class T1003 OffensiveTechniqueNode;
class EncryptedCredential ArtifactNode; click EncryptedCredential href "/dao/artifact/d3f:EncryptedCredential";
click T1003 href "/offensive-technique/attack/T1003/"; click EncryptedCredential href "/dao/artifact/d3f:EncryptedCredential"; T1003["OS Credential Dumping"] --> |accesses| Process["Process"]; class T1003 OffensiveTechniqueNode;
class Process ArtifactNode; click Process href "/dao/artifact/d3f:Process";
click T1003 href "/offensive-technique/attack/T1003/"; click Process href "/dao/artifact/d3f:Process"; T1003["OS Credential Dumping"] --> |may-access| Process["Process"]; class T1003 OffensiveTechniqueNode;
class Process ArtifactNode; click Process href "/dao/artifact/d3f:Process";
click T1003 href "/offensive-technique/attack/T1003/"; click Process href "/dao/artifact/d3f:Process"; T1003["OS Credential Dumping"] --> |may-modify| Log["Log"]; class T1003 OffensiveTechniqueNode;
class Log ArtifactNode; click Log href "/dao/artifact/d3f:Log";
click T1003 href "/offensive-technique/attack/T1003/"; click Log href "/dao/artifact/d3f:Log"; T1003["OS Credential Dumping"] --> |may-modify| EventLog["Event Log"]; class T1003 OffensiveTechniqueNode;
class EventLog ArtifactNode; click EventLog href "/dao/artifact/d3f:EventLog";
click T1003 href "/offensive-technique/attack/T1003/"; click EventLog href "/dao/artifact/d3f:EventLog"; T1003["OS Credential Dumping"] --> |accesses| OperatingSystemFile["Operating System File"]; class T1003 OffensiveTechniqueNode;
class OperatingSystemFile ArtifactNode; click OperatingSystemFile href "/dao/artifact/d3f:OperatingSystemFile";
click T1003 href "/offensive-technique/attack/T1003/"; click OperatingSystemFile href "/dao/artifact/d3f:OperatingSystemFile"; T1003["OS Credential Dumping"] --> |accesses| PasswordFile["Password File"]; class T1003 OffensiveTechniqueNode;
class PasswordFile ArtifactNode; click PasswordFile href "/dao/artifact/d3f:PasswordFile";
click T1003 href "/offensive-technique/attack/T1003/"; click PasswordFile href "/dao/artifact/d3f:PasswordFile"; T1003["OS Credential Dumping"] --> |accesses| ProcessImage["Process Image"]; class T1003 OffensiveTechniqueNode;
class ProcessImage ArtifactNode; click ProcessImage href "/dao/artifact/d3f:ProcessImage";
click T1003 href "/offensive-technique/attack/T1003/"; click ProcessImage href "/dao/artifact/d3f:ProcessImage"; T1003["OS Credential Dumping"] --> |produces| IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; class T1003 OffensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic";
click T1003 href "/offensive-technique/attack/T1003/"; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; T1003["OS Credential Dumping"] --> |may-access| SystemPasswordDatabase["System Password Database"]; class T1003 OffensiveTechniqueNode;
class SystemPasswordDatabase ArtifactNode; click SystemPasswordDatabase href "/dao/artifact/d3f:SystemPasswordDatabase";
click T1003 href "/offensive-technique/attack/T1003/"; click SystemPasswordDatabase href "/dao/artifact/d3f:SystemPasswordDatabase"; T1003["OS Credential Dumping"] --> |accesses| AuthenticationService["Authentication Service"]; class T1003 OffensiveTechniqueNode;
class AuthenticationService ArtifactNode; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService";
click T1003 href "/offensive-technique/attack/T1003/"; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService"; T1003["OS Credential Dumping"] --> |may-access| AuthenticationService["Authentication Service"]; class T1003 OffensiveTechniqueNode;
class AuthenticationService ArtifactNode; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService";
click T1003 href "/offensive-technique/attack/T1003/"; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService"; DecoyFile["Decoy File"] -->
| spoofs | OperatingSystemFile["Operating System File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1003["OS Credential Dumping"] ;
class DecoyFile DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | PasswordFile["Password File"];
class DecoyFile DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyUserCredential["Decoy User Credential"] -->
| spoofs | EncryptedCredential["Encrypted Credential"];
DecoyUserCredential["Decoy User Credential"] -.->
| may-deceive | T1003["OS Credential Dumping"] ;
class DecoyUserCredential DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class AdministrativeNetworkActivityAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click AdministrativeNetworkActivityAnalysis href "/technique/d3f:AdministrativeNetworkActivityAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ConnectionAttemptAnalysis["Connection Attempt Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class ConnectionAttemptAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
| analyzes | EncryptedCredential["Encrypted Credential"];
CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | Process["Process"];
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | Process["Process"];
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | AuthenticationService["Authentication Service"];
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OperatingSystemFile["Operating System File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | PasswordFile["Password File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; CredentialRevocation["Credential Revocation"] -->
| deletes | EncryptedCredential["Encrypted Credential"];
CredentialRevocation["Credential Revocation"] -.->
| may-evict | T1003["OS Credential Dumping"] ;
class CredentialRevocation DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click CredentialRevocation href "/technique/d3f:CredentialRevocation"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
| deletes | EncryptedCredential["Encrypted Credential"];
AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
| may-evict | T1003["OS Credential Dumping"] ;
class AuthenticationCacheInvalidation DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; HostShutdown["Host Shutdown"] -->
| terminates | AuthenticationService["Authentication Service"];
HostShutdown["Host Shutdown"] -.->
| may-evict | T1003["OS Credential Dumping"] ;
class HostShutdown DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click HostShutdown href "/technique/d3f:HostShutdown"; ProcessTermination["Process Termination"] -->
| terminates | Process["Process"];
ProcessTermination["Process Termination"] -.->
| may-evict | T1003["OS Credential Dumping"] ;
class ProcessTermination DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; HostShutdown["Host Shutdown"] -->
| terminates | Process["Process"];
class HostShutdown DefensiveTechniqueNode;
class Process ArtifactNode;
click HostShutdown href "/technique/d3f:HostShutdown"; ProcessTermination["Process Termination"] -->
| terminates | AuthenticationService["Authentication Service"];
class ProcessTermination DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessSuspension["Process Suspension"] -->
| suspends | AuthenticationService["Authentication Service"];
ProcessSuspension["Process Suspension"] -.->
| may-evict | T1003["OS Credential Dumping"] ;
class ProcessSuspension DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; ProcessSuspension["Process Suspension"] -->
| suspends | Process["Process"];
class ProcessSuspension DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; FileEviction["File Eviction"] -->
| deletes | PasswordFile["Password File"];
FileEviction["File Eviction"] -.->
| may-evict | T1003["OS Credential Dumping"] ;
class FileEviction DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | OperatingSystemFile["Operating System File"];
class FileEviction DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| uses | EncryptedCredential["Encrypted Credential"];
Multi-factorAuthentication["Multi-factor Authentication"] -.->
| may-harden | T1003["OS Credential Dumping"] ;
class Multi-factorAuthentication DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; CredentialRotation["Credential Rotation"] -->
| regenerates | EncryptedCredential["Encrypted Credential"];
CredentialRotation["Credential Rotation"] -.->
| may-harden | T1003["OS Credential Dumping"] ;
class CredentialRotation DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click CredentialRotation href "/technique/d3f:CredentialRotation"; FileEncryption["File Encryption"] -->
| encrypts | PasswordFile["Password File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1003["OS Credential Dumping"] ;
class FileEncryption DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | OperatingSystemFile["Operating System File"];
class FileEncryption DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OperatingSystemFile["Operating System File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1003["OS Credential Dumping"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | PasswordFile["Password File"];
class LocalFilePermissions DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1003["OS Credential Dumping"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
| isolates | Process["Process"];
Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.->
| may-isolate | T1003["OS Credential Dumping"] ;
class Kernel-basedProcessIsolation DefensiveTechniqueNode;
class Process ArtifactNode;
click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
class Kernel-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Application-basedProcessIsolation["Application-based Process Isolation"] -.->
| may-isolate | T1003["OS Credential Dumping"] ;
class Application-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | Process["Process"];
class Application-basedProcessIsolation DefensiveTechniqueNode;
class Process ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | Process["Process"];
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class Process ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; SystemCallFiltering["System Call Filtering"] -->
| isolates | Process["Process"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1003["OS Credential Dumping"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class Process ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] -->
| isolates | AuthenticationService["Authentication Service"];
class SystemCallFiltering DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
| isolates | EncryptedCredential["Encrypted Credential"];
CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
| may-isolate | T1003["OS Credential Dumping"] ;
class CredentialTransmissionScoping DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1003["OS Credential Dumping"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; RestoreDatabase["Restore Database"] -->
| restores | SystemPasswordDatabase["System Password Database"];
RestoreDatabase["Restore Database"] -.->
| may-restore | T1003["OS Credential Dumping"] ;
class RestoreDatabase DefensiveTechniqueNode;
class SystemPasswordDatabase ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; RestoreDatabase["Restore Database"] -->
| restores | PasswordFile["Password File"];
class RestoreDatabase DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; RestoreFile["Restore File"] -->
| restores | OperatingSystemFile["Operating System File"];
RestoreFile["Restore File"] -.->
| may-restore | T1003["OS Credential Dumping"] ;
class RestoreFile DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | PasswordFile["Password File"];
class RestoreFile DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; ReissueCredential["Reissue Credential"] -->
| restores | EncryptedCredential["Encrypted Credential"];
ReissueCredential["Reissue Credential"] -.->
| may-restore | T1003["OS Credential Dumping"] ;
class ReissueCredential DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click ReissueCredential href "/technique/d3f:ReissueCredential"; FileAnalysis["File Analysis"] -->
| analyzes | PasswordFile["Password File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class FileAnalysis DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | OperatingSystemFile["Operating System File"];
class FileAnalysis DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; CredentialHardening["Credential Hardening"] -->
| hardens | EncryptedCredential["Encrypted Credential"];
CredentialHardening["Credential Hardening"] -.->
| may-harden | T1003["OS Credential Dumping"] ;
class CredentialHardening DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click CredentialHardening href "/technique/d3f:CredentialHardening"; SystemFileAnalysis["System File Analysis"] -->
| analyzes | OperatingSystemFile["Operating System File"];
SystemFileAnalysis["System File Analysis"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class SystemFileAnalysis DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessLineageAnalysis["Process Lineage Analysis"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class ProcessLineageAnalysis DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | Process["Process"];
class ProcessLineageAnalysis DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; HostReboot["Host Reboot"] -->
| terminates | Process["Process"];
HostReboot["Host Reboot"] -.->
| may-evict | T1003["OS Credential Dumping"] ;
class HostReboot DefensiveTechniqueNode;
class Process ArtifactNode;
click HostReboot href "/technique/d3f:HostReboot"; HostReboot["Host Reboot"] -->
| terminates | AuthenticationService["Authentication Service"];
class HostReboot DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click HostReboot href "/technique/d3f:HostReboot"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | OperatingSystemFile["Operating System File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1003["OS Credential Dumping"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | PasswordFile["Password File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; WebSessionAccessMediation["Web Session Access Mediation"] -->
| isolates | AuthenticationService["Authentication Service"];
WebSessionAccessMediation["Web Session Access Mediation"] -.->
| may-isolate | T1003["OS Credential Dumping"] ;
class WebSessionAccessMediation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click WebSessionAccessMediation href "/technique/d3f:WebSessionAccessMediation";