Esc
OS Credential Dumping - T1003
(ATT&CK® Technique)
Definition
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures. Credentials can then be used to perform Lateral Movement and access restricted information.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1003["OS Credential Dumping"] --> |may-access| Process["Process"]; class T1003 OffensiveTechniqueNode;
class Process ArtifactNode; click Process href "/dao/artifact/d3f:Process";
click T1003 href "/offensive-technique/attack/T1003/"; click Process href "/dao/artifact/d3f:Process"; T1003["OS Credential Dumping"] --> |may-modify| Log["Log"]; class T1003 OffensiveTechniqueNode;
class Log ArtifactNode; click Log href "/dao/artifact/d3f:Log";
click T1003 href "/offensive-technique/attack/T1003/"; click Log href "/dao/artifact/d3f:Log"; T1003["OS Credential Dumping"] --> |may-modify| EventLog["Event Log"]; class T1003 OffensiveTechniqueNode;
class EventLog ArtifactNode; click EventLog href "/dao/artifact/d3f:EventLog";
click T1003 href "/offensive-technique/attack/T1003/"; click EventLog href "/dao/artifact/d3f:EventLog"; T1003["OS Credential Dumping"] --> |accesses| OperatingSystemFile["Operating System File"]; class T1003 OffensiveTechniqueNode;
class OperatingSystemFile ArtifactNode; click OperatingSystemFile href "/dao/artifact/d3f:OperatingSystemFile";
click T1003 href "/offensive-technique/attack/T1003/"; click OperatingSystemFile href "/dao/artifact/d3f:OperatingSystemFile"; T1003["OS Credential Dumping"] --> |accesses| PasswordFile["Password File"]; class T1003 OffensiveTechniqueNode;
class PasswordFile ArtifactNode; click PasswordFile href "/dao/artifact/d3f:PasswordFile";
click T1003 href "/offensive-technique/attack/T1003/"; click PasswordFile href "/dao/artifact/d3f:PasswordFile"; T1003["OS Credential Dumping"] --> |accesses| ProcessImage["Process Image"]; class T1003 OffensiveTechniqueNode;
class ProcessImage ArtifactNode; click ProcessImage href "/dao/artifact/d3f:ProcessImage";
click T1003 href "/offensive-technique/attack/T1003/"; click ProcessImage href "/dao/artifact/d3f:ProcessImage"; T1003["OS Credential Dumping"] --> |produces| IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; class T1003 OffensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic";
click T1003 href "/offensive-technique/attack/T1003/"; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; T1003["OS Credential Dumping"] --> |may-access| SystemPasswordDatabase["System Password Database"]; class T1003 OffensiveTechniqueNode;
class SystemPasswordDatabase ArtifactNode; click SystemPasswordDatabase href "/dao/artifact/d3f:SystemPasswordDatabase";
click T1003 href "/offensive-technique/attack/T1003/"; click SystemPasswordDatabase href "/dao/artifact/d3f:SystemPasswordDatabase"; T1003["OS Credential Dumping"] --> |accesses| AuthenticationService["Authentication Service"]; class T1003 OffensiveTechniqueNode;
class AuthenticationService ArtifactNode; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService";
click T1003 href "/offensive-technique/attack/T1003/"; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService"; T1003["OS Credential Dumping"] --> |may-access| AuthenticationService["Authentication Service"]; class T1003 OffensiveTechniqueNode;
class AuthenticationService ArtifactNode; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService";
click T1003 href "/offensive-technique/attack/T1003/"; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService"; T1003["OS Credential Dumping"] --> |accesses| EncryptedCredential["Encrypted Credential"]; class T1003 OffensiveTechniqueNode;
class EncryptedCredential ArtifactNode; click EncryptedCredential href "/dao/artifact/d3f:EncryptedCredential";
click T1003 href "/offensive-technique/attack/T1003/"; click EncryptedCredential href "/dao/artifact/d3f:EncryptedCredential"; T1003["OS Credential Dumping"] --> |accesses| Process["Process"]; class T1003 OffensiveTechniqueNode;
class Process ArtifactNode; click Process href "/dao/artifact/d3f:Process";
click T1003 href "/offensive-technique/attack/T1003/"; click Process href "/dao/artifact/d3f:Process"; DecoyUserCredential["Decoy User Credential"] -->
| spoofs | EncryptedCredential["Encrypted Credential"];
DecoyUserCredential["Decoy User Credential"] -.->
| may-deceive | T1003["OS Credential Dumping"] ;
class DecoyUserCredential DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; DecoyFile["Decoy File"] -->
| spoofs | PasswordFile["Password File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1003["OS Credential Dumping"] ;
class DecoyFile DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | OperatingSystemFile["Operating System File"];
class DecoyFile DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
| analyzes | EncryptedCredential["Encrypted Credential"];
CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; ConnectionAttemptAnalysis["Connection Attempt Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class ConnectionAttemptAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class AdministrativeNetworkActivityAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click AdministrativeNetworkActivityAnalysis href "/technique/d3f:AdministrativeNetworkActivityAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | Process["Process"];
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | Process["Process"];
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; CredentialRevocation["Credential Revocation"] -->
| deletes | EncryptedCredential["Encrypted Credential"];
CredentialRevocation["Credential Revocation"] -.->
| may-evict | T1003["OS Credential Dumping"] ;
class CredentialRevocation DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click CredentialRevocation href "/technique/d3f:CredentialRevocation"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
| deletes | EncryptedCredential["Encrypted Credential"];
AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
| may-evict | T1003["OS Credential Dumping"] ;
class AuthenticationCacheInvalidation DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; ProcessTermination["Process Termination"] -->
| terminates | Process["Process"];
ProcessTermination["Process Termination"] -.->
| may-evict | T1003["OS Credential Dumping"] ;
class ProcessTermination DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessSuspension["Process Suspension"] -->
| suspends | Process["Process"];
ProcessSuspension["Process Suspension"] -.->
| may-evict | T1003["OS Credential Dumping"] ;
class ProcessSuspension DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; ProcessSuspension["Process Suspension"] -->
| suspends | AuthenticationService["Authentication Service"];
class ProcessSuspension DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; HostShutdown["Host Shutdown"] -->
| terminates | Process["Process"];
HostShutdown["Host Shutdown"] -.->
| may-evict | T1003["OS Credential Dumping"] ;
class HostShutdown DefensiveTechniqueNode;
class Process ArtifactNode;
click HostShutdown href "/technique/d3f:HostShutdown"; ProcessTermination["Process Termination"] -->
| terminates | AuthenticationService["Authentication Service"];
class ProcessTermination DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; HostShutdown["Host Shutdown"] -->
| terminates | AuthenticationService["Authentication Service"];
class HostShutdown DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click HostShutdown href "/technique/d3f:HostShutdown"; FileEviction["File Eviction"] -->
| deletes | OperatingSystemFile["Operating System File"];
FileEviction["File Eviction"] -.->
| may-evict | T1003["OS Credential Dumping"] ;
class FileEviction DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | PasswordFile["Password File"];
class FileEviction DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | PasswordFile["Password File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OperatingSystemFile["Operating System File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| uses | EncryptedCredential["Encrypted Credential"];
Multi-factorAuthentication["Multi-factor Authentication"] -.->
| may-harden | T1003["OS Credential Dumping"] ;
class Multi-factorAuthentication DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; FileEncryption["File Encryption"] -->
| encrypts | PasswordFile["Password File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1003["OS Credential Dumping"] ;
class FileEncryption DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | OperatingSystemFile["Operating System File"];
class FileEncryption DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; CredentialRotation["Credential Rotation"] -->
| regenerates | EncryptedCredential["Encrypted Credential"];
CredentialRotation["Credential Rotation"] -.->
| may-harden | T1003["OS Credential Dumping"] ;
class CredentialRotation DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click CredentialRotation href "/technique/d3f:CredentialRotation"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
| isolates | Process["Process"];
Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.->
| may-isolate | T1003["OS Credential Dumping"] ;
class Kernel-basedProcessIsolation DefensiveTechniqueNode;
class Process ArtifactNode;
click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1003["OS Credential Dumping"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
class Kernel-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | Process["Process"];
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class Process ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | Process["Process"];
Application-basedProcessIsolation["Application-based Process Isolation"] -.->
| may-isolate | T1003["OS Credential Dumping"] ;
class Application-basedProcessIsolation DefensiveTechniqueNode;
class Process ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
class Application-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; SystemCallFiltering["System Call Filtering"] -->
| isolates | AuthenticationService["Authentication Service"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1003["OS Credential Dumping"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] -->
| isolates | Process["Process"];
class SystemCallFiltering DefensiveTechniqueNode;
class Process ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
| isolates | EncryptedCredential["Encrypted Credential"];
CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
| may-isolate | T1003["OS Credential Dumping"] ;
class CredentialTransmissionScoping DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1003["OS Credential Dumping"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; LocalFilePermissions["Local File Permissions"] -->
| restricts | PasswordFile["Password File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1003["OS Credential Dumping"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OperatingSystemFile["Operating System File"];
class LocalFilePermissions DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; ReissueCredential["Reissue Credential"] -->
| restores | EncryptedCredential["Encrypted Credential"];
ReissueCredential["Reissue Credential"] -.->
| may-restore | T1003["OS Credential Dumping"] ;
class ReissueCredential DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click ReissueCredential href "/technique/d3f:ReissueCredential"; RestoreDatabase["Restore Database"] -->
| restores | PasswordFile["Password File"];
RestoreDatabase["Restore Database"] -.->
| may-restore | T1003["OS Credential Dumping"] ;
class RestoreDatabase DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; RestoreDatabase["Restore Database"] -->
| restores | SystemPasswordDatabase["System Password Database"];
class RestoreDatabase DefensiveTechniqueNode;
class SystemPasswordDatabase ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; RestoreFile["Restore File"] -->
| restores | PasswordFile["Password File"];
RestoreFile["Restore File"] -.->
| may-restore | T1003["OS Credential Dumping"] ;
class RestoreFile DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | OperatingSystemFile["Operating System File"];
class RestoreFile DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; CredentialHardening["Credential Hardening"] -->
| hardens | EncryptedCredential["Encrypted Credential"];
CredentialHardening["Credential Hardening"] -.->
| may-harden | T1003["OS Credential Dumping"] ;
class CredentialHardening DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click CredentialHardening href "/technique/d3f:CredentialHardening"; FileAnalysis["File Analysis"] -->
| analyzes | PasswordFile["Password File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class FileAnalysis DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | OperatingSystemFile["Operating System File"];
class FileAnalysis DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessLineageAnalysis["Process Lineage Analysis"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class ProcessLineageAnalysis DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | Process["Process"];
class ProcessLineageAnalysis DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; SystemFileAnalysis["System File Analysis"] -->
| analyzes | OperatingSystemFile["Operating System File"];
SystemFileAnalysis["System File Analysis"] -.->
| may-detect | T1003["OS Credential Dumping"] ;
class SystemFileAnalysis DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis"; HostReboot["Host Reboot"] -->
| terminates | AuthenticationService["Authentication Service"];
HostReboot["Host Reboot"] -.->
| may-evict | T1003["OS Credential Dumping"] ;
class HostReboot DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click HostReboot href "/technique/d3f:HostReboot"; HostReboot["Host Reboot"] -->
| terminates | Process["Process"];
class HostReboot DefensiveTechniqueNode;
class Process ArtifactNode;
click HostReboot href "/technique/d3f:HostReboot"; WebSessionAccessMediation["Web Session Access Mediation"] -->
| isolates | AuthenticationService["Authentication Service"];
WebSessionAccessMediation["Web Session Access Mediation"] -.->
| may-isolate | T1003["OS Credential Dumping"] ;
class WebSessionAccessMediation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click WebSessionAccessMediation href "/technique/d3f:WebSessionAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | OperatingSystemFile["Operating System File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1003["OS Credential Dumping"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | PasswordFile["Password File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";