Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Credential Access/ T1003

T1003OS Credential Dumping

T1003 — OS Credential Dumping is a MITRE ATT&CK technique in the Credential Access tactic. Clankerusecase tracks 16 detection use cases covering it and 106 threat-intel articles citing it.

Credential Access
View on the matrix → Filter Detection Library MITRE official spec ↗
16Use cases
106Articles
8Sub-techniques
1Tactic

Sub-techniques (8)

T1003.008 · /etc/passwd and /etc/shadowT1003.005 · Cached Domain CredentialsT1003.006 · DCSyncT1003.004 · LSA SecretsT1003.001 · LSASS MemoryT1003.003 · NTDST1003.007 · Proc FilesystemT1003.002 · Security Account Manager

Use cases covering this technique (16)

LSASS process access / dump (credential theft) Internal actions · alerting DSΣP Attacker Tools On Endpoint ESCU actions · alerting P Detect Mimikatz With PowerShell Script Block Logging ESCU actions · alerting P Enable WDigest UseLogonCredential Registry ESCU actions · alerting P PetitPotam Suspicious Kerberos TGT Request ESCU actions · alerting P Windows LAPS Password Gathering Via PowerShell Script ESCU actions · hunting P Windows Mimikatz Binary Execution ESCU actions · alerting P Windows Post Exploitation Risk Behavior ESCU actions · alerting P Windows Remote Access Software BRC4 Loaded Dll ESCU actions · hunting P Cisco Secure Firewall - High Priority Intrusion Classification ESCU actions · alerting P [LLM] Cross-platform memory scraping of GitHub Actions Runner.Worker process Bespoke actions · hunting DSPDDCS [LLM] GitHub Actions Runner.Worker process-memory secret scraping (Miasma payload) Bespoke actions · alerting DSΣPDDCS [LLM] GitHub Actions runner credential stealer: python3 base64-decoded payload reading /proc/<pid>/mem Bespoke actions · hunting DSPDD [LLM] Cacheract memdump.py download/execution on CI runner or developer host Bespoke install · alerting DSΣPDD [LLM] tj-actions/changed-files compromise: memdump.py secret-exfiltration shell pattern on runner (CVE-2025-30066) Bespoke actions · alerting DSΣPDD [LLM] Runner.Worker process memory dumped via /proc/PID/mem read on Linux runner Bespoke actions · alerting DSΣPDDCS

Articles citing this technique (106)

crit Chinese hackers hijack auth flow, spy on isolated network for a decade art-07
high Ukrainian national pleads guilty to role in Conti ransomware operation art-24
high CISA orders feds to patch actively exploited Ivanti flaw by Sunday art-34
high Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs art-36
high A tale of two eras art-40
crit The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm art-44
crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories art-48
high Pythagora-io/gpt-pilot Compromised on GitHub - Shai-Hulud Credential Stealer Blocked by Python Linter art-78
crit Meta Blocks NSO Group's New WhatsApp Phishing Attack, Files Contempt Order art-101
crit UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign art-108
crit CISA KEV: CVE-2026-50751 — Check Point Security Gateway Improper Authentication Vulnerability art-111
crit Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign art-139
crit Malicious npm packages abuse dependency confusion to profile developer environments art-161
crit Microsoft is named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection art-178
high Typosquatted npm packages used to steal cloud and CI/CD secrets art-183
crit 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface art-187
crit ESET APT Activity Report Q4 2025–Q1 2026 art-189
crit Out of the Crypt: The Evolving Cyber Extortion Economy art-193
crit CISA KEV: CVE-2026-48027 — Nx Console Embedded Malicious Code Vulnerability art-203
crit CISA KEV: CVE-2026-45321 — TanStack Unspecified Vulnerability art-204
crit IT threat evolution in Q1 2026. Mobile statistics art-278
high The time of much patching is coming art-296
crit Kimsuky targets organizations with PebbleDash-based tools art-308
crit Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools art-316
crit TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack art-318
crit PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale art-322
crit Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution art-325
crit Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Sco art-333
crit CISA KEV: CVE-2026-41940 — WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability art-344
crit CISA KEV: CVE-2024-1708 — ConnectWise ScreenConnect Path Traversal Vulnerability art-350
crit CISA KEV: CVE-2024-57728 — SimpleHelp Path Traversal Vulnerability art-358
crit CISA KEV: CVE-2024-57726 — SimpleHelp Missing Authorization Vulnerability art-359
crit What the ransom note won’t say art-370
crit CISA KEV: CVE-2023-27351 — PaperCut NG/MF Improper Authentication Vulnerability art-374
crit CISA KEV: CVE-2024-27199 — JetBrains TeamCity Relative Path Traversal Vulnerability art-378
crit CISA KEV: CVE-2023-21529 — Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability art-390
high As breakout time accelerates, prevention-first cybersecurity takes center stage art-408
high Trivy Compromised a Second Time - Malicious v0.69.4 Release, aquasecurity/setup-trivy, aquasecurity/trivy-action GitHub Actions Compromised art-430
crit How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM art-443
crit EDR killers explained: Beyond the drivers art-455
crit CISA KEV: CVE-2026-20131 — Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management art-457
crit Cyber fallout from the Iran war: What to have on your radar art-474
high kubernetes-el Compromised: How a Pwn Request Exploited a Popular Emacs Package art-475
crit How SMBs use threat research and MDR to build a defensive edge art-486
crit Protecting education: How MDR can tip the balance in favor of schools art-491
high PromptSpy ushers in the era of Android threats using GenAI art-519
crit CISA KEV: CVE-2024-7694 — TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File with Dangerous Type Vulnerability art-531
crit CISA KEV: CVE-2026-1731 — BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability art-543
crit Naming and shaming: How ransomware groups tighten the screws on victims art-544
high Harden-Runner detection: tj-actions/changed-files action is compromised art-556
crit CISA KEV: CVE-2026-24423 — SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability art-576
crit DynoWiper update: Technical analysis and attribution art-590
crit CISA KEV: CVE-2025-52691 — SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability art-599
crit CISA KEV: CVE-2026-23760 — SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability art-600
crit Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT art-608
crit ESET Threat Report H2 2025 art-647
high Sha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages Compromised art-653
high Black Hat Europe 2025: Reputation matters – even in the ransomware economy art-660
crit CISA KEV: CVE-2025-55182 — Meta React Server Components Remote Code Execution Vulnerability art-670
high In memoriam: David Harley art-713
high Ground zero: 5 things to do after discovering a cyberattack art-722
high How MDR can give MSPs the edge in a competitive market art-730
crit CISA KEV: CVE-2025-61884 — Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability art-743
crit CISA KEV: CVE-2025-61882 — Oracle E-Business Suite Unspecified Vulnerability art-764
crit CISA KEV: CVE-2025-10035 — Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability art-773
crit CISA KEV: CVE-2025-49704 — Microsoft SharePoint Code Injection Vulnerability art-841
crit CISA KEV: CVE-2025-53770 — Microsoft SharePoint Deserialization of Untrusted Data Vulnerability art-844
crit CISA KEV: CVE-2025-5777 — Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability art-848
crit CISA KEV: CVE-2019-6693 — Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability art-860
high Finding Software Flaws Early in the Development Process Provides Clear ROI art-871
crit CISA KEV: CVE-2025-31324 — SAP NetWeaver Unrestricted File Upload Vulnerability art-923
crit CISA KEV: CVE-2025-29824 — Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability art-936
crit CISA KEV: CVE-2025-31161 — CrushFTP Authentication Bypass Vulnerability art-938
crit CISA KEV: CVE-2025-22457 — Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability art-939
crit CISA KEV: CVE-2025-24472 — Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability art-956
crit Reconstructing the TJ Actions Changed Files GitHub Actions Compromise art-957
crit CISA KEV: CVE-2025-26633 — Microsoft Windows Management Console (MMC) Improper Neutralization Vulnerability art-970
crit CISA KEV: CVE-2025-22225 — VMware ESXi Arbitrary Write Vulnerability art-978
crit CISA KEV: CVE-2018-8639 — Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability art-982
crit CISA KEV: CVE-2024-53704 — SonicWall SonicOS SSLVPN Improper Authentication Vulnerability art-998
crit CISA KEV: CVE-2024-57727 — SimpleHelp Path Traversal Vulnerability art-999
crit CISA KEV: CVE-2025-23006 — SonicWall SMA1000 Appliances Deserialization Vulnerability art-1021
crit CISA KEV: CVE-2024-55591 — Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability art-1032
crit CISA KEV: CVE-2023-48365 — Qlik Sense HTTP Tunneling Vulnerability art-1033
crit CISA KEV: CVE-2025-0282 — Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability art-1037
crit CISA KEV: CVE-2024-55550 — Mitel MiCollab Path Traversal Vulnerability art-1039
crit CISA KEV: CVE-2024-55956 — Cleo Multiple Products Unauthenticated File Upload Vulnerability art-1051
crit CISA KEV: CVE-2024-50623 — Cleo Multiple Products Unrestricted File Upload Vulnerability art-1054
crit CISA KEV: CVE-2024-51378 — CyberPanel Incorrect Default Permissions Vulnerability art-1060
crit CISA KEV: CVE-2024-11667 — Zyxel Multiple Firewalls Path Traversal Vulnerability art-1063
crit CISA KEV: CVE-2023-28461 — Array Networks AG and vxAG ArrayOS Missing Authentication for Critical Function Vulnerability art-1069
crit CISA KEV: CVE-2024-9474 — Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability art-1078
crit CISA KEV: CVE-2024-49039 — Microsoft Windows Task Scheduler Privilege Escalation Vulnerability art-1089
crit CISA KEV: CVE-2024-51567 — CyberPanel Incorrect Default Permissions Vulnerability art-1091
crit CISA KEV: CVE-2024-38094 — Microsoft SharePoint Deserialization Vulnerability art-1106
crit CISA KEV: CVE-2024-40711 — Veeam Backup and Replication Deserialization Vulnerability art-1111
crit CISA KEV: CVE-2024-9680 — Mozilla Firefox Use-After-Free Vulnerability art-1114
crit CISA KEV: CVE-2024-30088 — Microsoft Windows Kernel TOCTOU Race Condition Vulnerability art-1115
crit CISA KEV: CVE-2024-6670 — Progress WhatsUp Gold SQL Injection Vulnerability art-1151
crit CISA KEV: CVE-2024-40766 — SonicWall SonicOS Improper Access Control Vulnerability art-1157
crit CISA KEV: CVE-2017-1000253 — Linux Kernel PIE Stack Buffer Corruption Vulnerability art-1158
crit CISA KEV: CVE-2024-23897 — Jenkins Command Line Interface (CLI) Path Traversal Vulnerability art-1177
crit CISA KEV: CVE-2024-37085 — VMware ESXi Authentication Bypass Vulnerability art-1197
crit CISA KEV: CVE-2024-26169 — Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability art-1230
crit CISA KEV: CVE-2024-4577 — PHP-CGI OS Command Injection Vulnerability art-1234
crit Snyk Learn and the NIST Cybersecurity Framework (CSF) art-1274