T1003Credential Access

OS Credential Dumping

Dump credentials from LSASS, SAM, ntds.dit, /etc/shadow.

§ Where this technique fits

T1003 is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 5 on average.

Authoritative reference: attack.mitre.org/techniques/T1003/.

§ Dossiers chaining this technique

Spectre-class side-channel → cross-tenant memory leak
Pre-mitigation cloud VM lets a co-tenant trigger speculative loads from kernel / sibling-VM memory. Cache-side-channel measurements recover sensitive data, including TLS keys + cloud creds.
step 5 / 6

§ What commonly comes next

01
Unsecured Credentials
T1552 · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Spectre-class side-channel → cross-tenant memory leak

§ What commonly comes next