cti/enterprise-attack/attack-pattern/attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22.json

{
    "type": "bundle",
    "id": "bundle--265e144c-2d2b-407b-b1ee-393ed73e0b19",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "attack-pattern",
            "id": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
            "created": "2017-05-31T21:30:19.735Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T1003",
                    "external_id": "T1003"
                },
                {
                    "source_name": "Medium Detecting Attempts to Steal Passwords from Memory",
                    "description": "French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.",
                    "url": "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea"
                },
                {
                    "source_name": "AdSecurity DCSync Sept 2015",
                    "description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.",
                    "url": "https://adsecurity.org/?p=1729"
                },
                {
                    "source_name": "Microsoft DRSR Dec 2017",
                    "description": "Microsoft. (2017, December 1). MS-DRSR Directory Replication Service (DRS) Remote Protocol. Retrieved December 4, 2017.",
                    "url": "https://msdn.microsoft.com/library/cc228086.aspx"
                },
                {
                    "source_name": "Microsoft NRPC Dec 2017",
                    "description": "Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol. Retrieved December 6, 2017.",
                    "url": "https://msdn.microsoft.com/library/cc237008.aspx"
                },
                {
                    "source_name": "Microsoft GetNCCChanges",
                    "description": "Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December 4, 2017.",
                    "url": "https://msdn.microsoft.com/library/dd207691.aspx"
                },
                {
                    "source_name": "Microsoft SAMR",
                    "description": "Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.",
                    "url": "https://msdn.microsoft.com/library/cc245496.aspx"
                },
                {
                    "source_name": "Powersploit",
                    "description": "PowerSploit. (n.d.). Retrieved December 4, 2014.",
                    "url": "https://github.com/mattifestation/PowerSploit"
                },
                {
                    "source_name": "Samba DRSUAPI",
                    "description": "SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.",
                    "url": "https://wiki.samba.org/index.php/DRSUAPI"
                },
                {
                    "source_name": "Harmj0y DCSync Sept 2015",
                    "description": "Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved December 4, 2017.",
                    "url": "http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/"
                },
                {
                    "source_name": "Brining MimiKatz to Unix",
                    "description": "Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing Mimikatz et al to UNIX. Retrieved October 13, 2021.",
                    "url": "https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2025-10-24T17:48:22.201Z",
            "name": "OS Credential Dumping",
            "description": "Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.\n\nSeveral of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.\n",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "credential-access"
                }
            ],
            "x_mitre_attack_spec_version": "3.3.0",
            "x_mitre_contributors": [
                "Vincent Le Toux",
                "Ed Williams, Trustwave, SpiderLabs",
                "Tim (Wadhwa-)Brown",
                "Yves Yonan"
            ],
            "x_mitre_deprecated": false,
            "x_mitre_domains": [
                "enterprise-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_platforms": [
                "Linux",
                "macOS",
                "Windows"
            ],
            "x_mitre_version": "2.2"
        }
    ]
}