The Red Canary 2026 Threat Detection Report ranks Mimikatz — the primary tool for T1003 — as the #4 threat, affecting 3.1% of monitored customers even after excluding red team activity. The 2025 Verizon DBIR found that 54% of ransomware victims had credentials previously exposed in infostealer logs. Credential dumping is the gateway to lateral movement, privilege escalation, and domain compromise in virtually every major intrusion.
T1003 maps to the Credential Access tactic. Unlike credential theft techniques that target user-facing applications (T1555 Credentials from Password Stores), T1003 targets the operating system itself — the processes, files, and databases where Windows, Linux, and macOS store authentication material for logged-in users and service accounts. The credentials obtained through T1003 enable pass-the-hash attacks, pass-the-ticket attacks, Golden Ticket forgery, and direct authentication to systems across the environment.
This technique is a mandatory step in nearly every ransomware playbook and espionage campaign. Attackers who achieve initial access and escalate privileges immediately pursue credential dumping because it transforms a single compromised endpoint into access to every system that shares authentication with the compromised accounts. The Conti ransomware playbook, leaked in 2022, documented NTDS.dit dumping via secretsdump.py as a required step following domain admin escalation. LockBit, Akira, Play, and Medusa ransomware groups all follow the same pattern.
How Credential Dumping Works
Windows stores credentials in several locations, each targeted by a different sub-technique. The fundamental challenge for defenders is that these storage mechanisms exist for legitimate operational reasons — users need single sign-on, services need service account credentials, and domain controllers need the master authentication database. Attackers exploit these necessary functions rather than vulnerabilities, making T1003 a technique that cannot be patched away.
The general attack flow follows a consistent pattern: gain administrative or SYSTEM privileges on a target, access the credential store (LSASS memory, SAM database, NTDS.dit, or registry hives), extract the credential material (hashes, tickets, or plaintext), and use the extracted credentials for lateral movement to additional systems. Each step uses either built-in Windows tools (living off the land) or widely available offensive tools.
Sub-Techniques
T1003.001 — LSASS Memory
The Local Security Authority Subsystem Service (lsass.exe) stores credentials of logged-in users in memory to enable single sign-on without requiring re-authentication. These credentials include NTLM hashes, Kerberos tickets, and in some configurations, plaintext passwords. Extracting credentials from LSASS memory is the single most common credential dumping method.
Mimikatz's sekurlsa::logonpasswords command is the canonical tool for LSASS credential extraction, but attackers increasingly use living-off-the-land techniques to avoid deploying a known malicious binary. The built-in Windows comsvcs.dll MiniDump function, Microsoft's legitimate ProcDump tool, and direct access to the LSASS process via the Windows API all enable memory extraction without Mimikatz. The LSASS memory can also be dumped from the Task Manager GUI (right-click lsass.exe > Create dump file), exfiltrated, and analyzed offline on the attacker's system.
T1003.002 — Security Account Manager (SAM)
The SAM database (%SystemRoot%\system32\config\SAM) stores hashed passwords for all local user accounts on a Windows system. Because the file is locked by the OS during normal operation, attackers use Volume Shadow Copy Service (VSS), registry export (reg save HKLM\SAM), or in-memory tools to access its contents. Extracted SAM hashes enable pass-the-hash attacks against local accounts across endpoints that share the same local administrator password — a common misconfiguration that tools like LAPS are designed to prevent.
T1003.003 — NTDS
The NTDS.dit file (%SystemRoot%\NTDS\Ntds.dit) is the Active Directory database stored on domain controllers. It contains NTLM hashes and Kerberos keys for every domain account. A single successful extraction compromises the entire AD forest. Because the file is locked during operation, attackers use three primary methods: VSS snapshots (vssadmin create shadow followed by copying from the shadow), the ntdsutil IFM (Install From Media) functionality, or remote extraction via Impacket's secretsdump.py. A fourth approach involves powering down a domain controller VM, copying its VMDK files, and extracting NTDS.dit offline — a technique documented in Akira ransomware operations.
T1003.004 — LSA Secrets
LSA Secrets are stored in the Windows registry at HKLM\SECURITY\Policy\Secrets and contain service account credentials, auto-logon passwords, VPN passwords, and other sensitive data cached by the Local Security Authority. Tools like Mimikatz (lsadump::secrets), Impacket's secretsdump.py, and reg save can extract this data. LSA Secrets are particularly valuable because they may contain plaintext service account passwords that have not been rotated in years.
T1003.005 — Cached Domain Credentials
Windows caches domain credentials locally to allow authentication when a domain controller is unavailable (such as a laptop user working offline). By default, Windows caches the last 10 domain logon credentials in the registry as MSCache2 hashes. While these hashes cannot be used directly for pass-the-hash, they can be cracked offline using tools like Hashcat. Tools like LaZagne, Metasploit's cachedump module, and Mimikatz can extract cached credentials from compromised systems.
T1003.006 — DCSync
DCSync is arguably the most dangerous sub-technique. Instead of accessing credential stores directly, it simulates a domain controller replication request using the MS-DRSR (Directory Replication Service Remote) protocol. The target domain controller responds by sending the requested credential data as if replicating to a legitimate peer. DCSync requires Replicating Directory Changes privileges, which Domain Admins, Enterprise Admins, and domain controller computer accounts hold by default. Mimikatz implements DCSync via lsadump::dcsync, allowing an attacker to pull the hash for any account — including the KRBTGT account, which enables Golden Ticket creation for persistent domain access. Because DCSync operates remotely over the network, the attacker never needs to touch the domain controller or its filesystem.
T1003.007 — Proc Filesystem (Linux)
On Linux systems, the /proc virtual filesystem exposes the memory of running processes. An attacker with root privileges can read /proc/[pid]/mem for processes that handle authentication (such as sshd, gdm, or vsftpd) and extract plaintext passwords or session tokens from memory. Additionally, /etc/shadow contains hashed passwords for all local accounts, and /etc/passwd contains account information. While reading /etc/shadow requires root access, it is the primary target for credential access on Linux servers.
T1003.008 — /etc/passwd and /etc/shadow
Direct access to Linux authentication files. /etc/shadow stores salted password hashes (typically SHA-512 on modern distributions) for all local accounts. An attacker with root access copies these files, exfiltrates them, and runs offline cracking with tools like Hashcat or John the Ripper. Because Linux servers often have service accounts with weak or unchanged passwords, this is frequently a productive credential harvesting technique in cloud and server environments.
Real-World Case Studies
Volt Typhoon — Living-off-the-Land Credential Dumping
The China-linked threat group Volt Typhoon, documented by CISA and Microsoft targeting U.S. critical infrastructure, relied on native Windows tools for credential extraction to avoid deploying detectable malware. The group used ntdsutil with the IFM (Install From Media) functionality to dump the NTDS.dit database from domain controllers, combined with reg save to export the SYSTEM registry hive needed for hash extraction. This living-off-the-land approach meant that the credential dumping activity appeared as legitimate administrative operations, aligning with Volt Typhoon's broader strategy of avoiding malware deployment entirely. The extracted credentials enabled the group to maintain persistent access to critical infrastructure networks for extended periods.
Scattered Spider — From Help Desk to Domain Admin
Scattered Spider (UNC3944) has demonstrated a consistent pattern of credential escalation that culminates in T1003 techniques. After obtaining initial access through social engineering (calling IT help desks to reset passwords and register MFA devices), the group escalates to domain admin privileges and performs NTDS.dit dumping or DCSync to harvest credentials for the entire domain. CrowdStrike's 2025 reporting documented Scattered Spider escalating attacks across multiple industries, with credential dumping serving as the pivot point between initial access and full environment compromise including ransomware deployment and data exfiltration.
Silk Typhoon — Targeting IT Supply Chains
In March 2025, Microsoft documented Silk Typhoon (formerly HAFNIUM) targeting IT supply chain organizations to gain access to downstream customer environments. The group's operations included NTDS.dit extraction from compromised domain controllers using both VSS and DCSync methods. By compromising managed service providers and extracting their Active Directory credentials, Silk Typhoon obtained access to the provider's customer environments without needing to attack each customer directly.
Medusa Ransomware — Credential Dumping as Standard Procedure
A March 2025 CISA advisory documented that Medusa ransomware operators routinely deploy Mimikatz for LSASS credential extraction as a standard post-exploitation procedure. After gaining initial access (typically through phishing or exploiting public-facing applications), the operators escalate privileges, run Mimikatz to harvest domain credentials, and use those credentials for lateral movement to domain controllers where they perform NTDS.dit extraction. The advisory confirmed that Medusa's activity continued to increase throughout 2025, with credential dumping as the consistent enabler of domain-wide ransomware deployment.
APT28 / Fancy Bear — DCSync for Espionage Persistence
The Russian military intelligence (GRU) group APT28 has been documented using DCSync attacks against government and defense sector targets. In a 2024 campaign dubbed the "Nearest Neighbor Attack," APT28 weaponized nearby Wi-Fi networks to gain initial access, then escalated to domain admin privileges and executed DCSync to extract the KRBTGT hash. With the KRBTGT hash, the group created Golden Tickets that provided persistent, unlimited access to the compromised Active Directory environment — access that survived password resets and remained valid until the KRBTGT key was rotated twice.
Detection Strategies
Credential dumping produces distinct forensic artifacts depending on the method used. The key principle is to monitor the behavior — LSASS access patterns, VSS creation, replication requests — rather than the specific tool, since attackers increasingly use living-off-the-land techniques that do not involve deploying known malicious binaries.
Key Event IDs
| Event ID | Source | What It Captures |
|---|---|---|
Sysmon 10 | ProcessAccess | Logs when any process opens a handle to lsass.exe — the single most important detection for T1003.001. Filter for access rights that include PROCESS_VM_READ |
Sysmon 1 | Process Creation | Captures execution of credential dumping tools and LOLBins: mimikatz.exe, procdump.exe, vssadmin.exe, ntdsutil.exe, reg.exe save |
Sysmon 11 | FileCreate | Detects creation of LSASS dump files (lsass.dmp), SAM/SYSTEM registry exports, and NTDS.dit copies in unusual locations |
4662 | Security | Directory service access — critical for DCSync detection. Alert on replication requests (DS-Replication-Get-Changes) from non-domain-controller source IPs |
4663 | Security | Object access — monitors access to SAM, SECURITY, and SYSTEM registry hives and NTDS.dit file access attempts |
8222 | Security | Shadow copy creation — detects VSS snapshot creation that may precede NTDS.dit or SAM extraction |
4688 | Security | Process creation with command-line logging — captures ntdsutil IFM operations, reg save commands, and VSS-related command-line activity |
Detection Queries
These queries target the behavioral patterns of credential dumping rather than specific tool signatures. Tune to exclude known legitimate access patterns from your EDR, backup, and monitoring tools.
LSASS Process Access by Non-System Processes — Detects any process opening a handle to LSASS, the primary indicator of credential extraction:
index=sysmon EventCode=10 TargetImage="*\\lsass.exe" | where NOT SourceImage IN ("*\\MsMpEng.exe", "*\\csrss.exe", "*\\svchost.exe", "*\\wininit.exe", "*\\wmiprvse.exe") | stats count by SourceImage, GrantedAccess, Computer, User | where GrantedAccess IN ("0x1010", "0x1410", "0x1fffff", "0x1038")
DCSync Detection via Replication Requests from Non-DC Sources — Identifies replication requests that originate from systems other than domain controllers:
index=wineventlog EventCode=4662 | where Properties="*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*" OR Properties="*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*" | where NOT SubjectUserName="*$" | table _time, SubjectUserName, SubjectDomainName, ObjectName, Computer
NTDS.dit Extraction via VSS or Ntdsutil — Detects volume shadow copy creation and ntdsutil IFM operations targeting the Active Directory database:
index=sysmon EventCode=1 | where (CommandLine="*vssadmin*create shadow*" OR CommandLine="*ntdsutil*ifm*" OR CommandLine="*ntdsutil*\"ac i ntds\"*" OR (CommandLine="*reg*save*" AND (CommandLine="*HKLM\\SAM*" OR CommandLine="*HKLM\\SYSTEM*" OR CommandLine="*HKLM\\SECURITY*"))) | table _time, Computer, User, ParentImage, Image, CommandLine
Known Threat Actors Using T1003
| Actor | Origin | Methods |
|---|---|---|
| Volt Typhoon | China | ntdsutil IFM and reg save for living-off-the-land NTDS.dit extraction in critical infrastructure |
| Scattered Spider | Cybercrime | Mimikatz and DCSync after social engineering escalation to domain admin |
| Silk Typhoon | China | NTDS.dit extraction via VSS and DCSync in IT supply chain compromises |
| APT28 / Fancy Bear | Russia (GRU) | DCSync for KRBTGT extraction and Golden Ticket persistence |
| APT41 | China | secretsdump against multiple domain controllers in telecom and healthcare |
| Lazarus Group | North Korea | VSS extraction with offline cracking for lateral movement in financial sector |
| LockBit / Akira / Medusa | Cybercrime | Mimikatz + NTDS extraction as standard ransomware pre-deployment procedure |
| APT34 / OilRig | Iran | Mimikatz and LaZagne for credential harvesting in Middle East energy sector |
| Mustang Panda | China | LSASS credential extraction during espionage campaigns targeting governments |
| LAPSUS$ / DEV-0537 | Cybercrime | NTDS.dit dumping and DCSync following privilege escalation at major technology companies |
Defensive Recommendations
Attackers increasingly use built-in Windows tools (comsvcs.dll, ProcDump, Task Manager, ntdsutil) for credential extraction rather than deploying Mimikatz. Detection rules that only look for known malicious tool names or hashes will miss living-off-the-land credential dumping. Monitor the behavior — LSASS access patterns, VSS creation, replication traffic — not the tool.
- Enable Windows Credential Guard: Credential Guard uses virtualization-based security (VBS) to isolate LSASS process secrets in a hardware-protected container that cannot be accessed even by SYSTEM-level code. This is the single most effective control against T1003.001 LSASS memory dumping. When enabled, Mimikatz and equivalent tools cannot extract credentials from LSASS. Requires UEFI Secure Boot and compatible hardware.
- Enable LSASS as a Protected Process Light (PPL): Configuring LSASS to run as PPL (via the
RunAsPPLregistry setting) prevents non-protected processes from opening handles to LSASS with memory-read permissions. This blocks both Mimikatz and living-off-the-land dumping techniques. Credential Guard provides stronger protection, but PPL is available on a wider range of hardware. - Deploy LAPS for local administrator passwords: The Local Administrator Password Solution (LAPS) ensures every endpoint has a unique, randomly generated local administrator password. This eliminates the ability to extract one local admin hash and use it across all endpoints via pass-the-hash. Without LAPS, a single SAM dump enables lateral movement to every system sharing the same local admin password.
- Monitor and alert on LSASS access: Deploy Sysmon Event ID 10 rules specifically monitoring access to
lsass.exe. Build a baseline of legitimate processes that access LSASS in your environment (EDR agents, Windows Defender, authentication services) and alert on any non-baselined access. This is the most reliable detection for T1003.001 regardless of which tool the attacker uses. - Restrict DCSync permissions: Audit accounts with Replicating Directory Changes privileges in Active Directory. Remove these permissions from any account that is not a domain controller computer account. Monitor Event ID 4662 for replication requests from non-DC sources, which is the definitive indicator of DCSync activity.
- Protect domain controllers: Domain controllers should be treated as the highest-security tier in the environment. Restrict interactive logon to dedicated admin workstations, implement tiered administration to prevent credential exposure across security boundaries, and monitor for VSS creation, ntdsutil execution, and file access to NTDS.dit on all DCs.
- Disable WDigest authentication: WDigest stores plaintext passwords in LSASS memory for legacy authentication compatibility. Unless required for specific applications, disable it by setting
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredentialto 0. This is already the default on Windows 8.1+ and Server 2012 R2+, but should be verified across the environment. - Implement credential hygiene: Rotate the KRBTGT password twice in succession (the first reset invalidates existing tickets, the second invalidates the backup key) after any suspected domain compromise. Rotate service account passwords regularly. Reduce the number of Domain Admin accounts and use Just-In-Time privileged access. Minimize the cached domain credential count via Group Policy (default is 10; reduce to 1-2 for servers, 4-5 for laptops).
MITRE ATT&CK Mapping
| Field | Value |
|---|---|
| Technique ID | T1003 |
| Technique Name | OS Credential Dumping |
| Tactics | Credential Access |
| Platforms | Windows, Linux, macOS |
| Sub-Techniques | T1003.001 LSASS Memory, T1003.002 Security Account Manager, T1003.003 NTDS, T1003.004 LSA Secrets, T1003.005 Cached Domain Credentials, T1003.006 DCSync, T1003.007 Proc Filesystem, T1003.008 /etc/passwd and /etc/shadow |
| Data Sources | Process (Access, Creation), Command (Execution), File (Access), Active Directory (Object Access), Windows Registry (Key Access) |
| MITRE Reference | attack.mitre.org/techniques/T1003 |
Sources and References
- MITRE ATT&CK — T1003 OS Credential Dumping: attack.mitre.org
- Red Canary — 2026 Threat Detection Report (Mimikatz #4 Threat): redcanary.com
- CISA — #StopRansomware: Medusa Ransomware Advisory (March 2025): cisa.gov
- Microsoft — Silk Typhoon Targeting IT Supply Chain (March 2025): microsoft.com
- Elastic — Detecting Credential Dumping with ES|QL: elastic.co