T1003 — OS Credential Dumping

Technique

T1003

Tactics

Credential Access

MISP citations

0

KEV CVEs mapped

18

Community rules

36

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1003

MITRE description

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information. Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2025-32756
• CVE-2025-32709
• CVE-2025-21335
• CVE-2025-21334
• CVE-2025-21333
• CVE-2025-0282
• CVE-2024-57727
• CVE-2024-48248
• CVE-2024-4577
• CVE-2023-28252
• CVE-2021-44515
• CVE-2021-44077
• CVE-2021-40539
• CVE-2021-22893
• CVE-2020-5902
• CVE-2019-13608
• CVE-2019-11634
• CVE-2019-0604

Detection coverage

SigmaHQ community rules

• Potential Exploitation of CVE-2025-5054 or CVE-2025-4598 (emerging-threats)
• Access To Chromium Browsers Sensitive Files By Uncommon Applications (threat-hunting)
• Access To Browser Credential Files By Uncommon Applications (threat-hunting)
• OpenCanary - MSSQL Login Attempt Via SQLAuth (core)
• OpenCanary - MSSQL Login Attempt Via Windows Authentication (core)
• OpenCanary - MySQL Login Attempt (core)
• OpenCanary - REDIS Action Command Attempt (core)
• Antivirus Password Dumper Detection (core)
• PUA - AWS TruffleHog Execution (core)
• Rare Subscription-level Operations In Azure (core)
• Linux Keylogging with Pam.d (core)
• WCE wceaux.dll Access (core)
• File Access Of Signal Desktop Sensitive Data (core)
• Credential Manager Access By Uncommon Applications (core)
• Access To Crypto Currency Wallets By Uncommon Applications (core)
• HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump (core)
• Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location (core)
• HackTool - Rubeus Execution - ScriptBlock (core)
• Live Memory Dump Using Powershell (core)
• Potential Invoke-Mimikatz PowerShell Script (core)
• Esentutl Gather Credentials (core)
• Hacktool Execution - Imphash (core)
• Hacktool Execution - PE Metadata (core)
• HackTool - Rubeus Execution (core)
• Microsoft IIS Service Account Password Dumped (core)

Showing 25 of 36 community rules — the full set is tagged attack.t1003 in SigmaHQ.

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.