MITRE ATT&CK: Credential dumping


When attackers have established a foothold in a system, one of their primary objectives is typically to find user (or otherwise privileged) credentials — usernames and passwords. Credentials are incredibly useful information, as they can give access to critical systems.

Did you know that uncovering credentials on one system can give you credentials for other users, where potentially one foothold on a system can branch out into almost every other system on that network? Attackers know this and use a technique called credential dumping to obtain these credentials in furtherance of their attack.

AWS Builder Community Hub

This article will detail the credential dumping attack technique as presented in the MITRE ATT&CK matrix. We’ll explore several different key concepts of credential dumping in both Windows and Linux systems.


MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.

To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, the private sector and government use. More information on the MITRE ATT&CK matrix can be found here.

What is credential dumping?

Credential dumping refers to the obtaining login information (username and password) from a system’s operating system (OS) and software. These credentials are then used to access restricted information, perform lateral movements and install other malware. A security researcher compared this process to when a thief breaks into your house and steals a set of key copies — house, car, office and so on. Credential dumping is (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: