title: OS Credential Dumping (T1003)
id: df00tech-t1003
status: experimental
description: "Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures. This parent technique encompasses multiple sub-techniques targeting LSASS memory, SAM database, NTDS, LSA Secrets, cached domain credentials, DCSync, the Linux /proc filesystem, and /etc/passwd and /etc/shadow files. Credential material is subsequently used for lateral movement, privilege escalation, and persistent access. Widely used by APT groups including APT32, APT39, Ember Bear, BlackByte, Tonto Team, and Mustang Panda, as well as malware families such as Mimikatz, Carbanak, MgBot, and Revenge RAT."
references:
  - https://attack.mitre.org/techniques/T1003/
  - https://df00tech.com/detections/T1003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate security tools and EDR agents (CrowdStrike Falcon, Carbon Black, SentinelOne) that access LSASS for memory scanning and threat detection"
  - Authorized penetration testing or red team exercises using Mimikatz or ProcDump against non-production systems
  - "IT helpdesk or sysadmin tools that access SAM or SECURITY hives for backup, recovery, or password synchronization tasks"
  - "Microsoft SCCM, Intune, or backup agents that read registry hives during system state backups"
  - "Vulnerability scanning tools (Tenable Nessus, Qualys) that enumerate credential-related registry keys during credentialed scans"
level: critical