[T1006 ] Direct Volume Access – Adversaries directly access logical volumes to read or write raw file system structures, bypassing standard file access controls and monitoring; defenders must monitor drive handle activity, process commands, and PowerShell logging to detect misuse. #DirectVolumeAccess #DefenseEvasion
Category: MITRE
[T1005 ] Data from Local System – Adversaries search local files, configurations, virtual machine images, and local databases to find sensitive data for later exfiltration; monitoring command activity and system APIs helps detect this behavior. #DataFromLocalSystem #T1005
[T1003.008 ] OS Credential Dumping: /etc/passwd and /etc/shadow – Adversaries target the /etc/passwd and /etc/shadow files to obtain user account metadata and password hashes for offline cracking, often combining them with tools like unshadow and John the Ripper. Monitor and restrict access to these files, enable auditing, and watch command execution and file access logs to detect and respond to dumping attempts. #OSCredentialDumping #LinuxSecurity
[T1003.007 ] OS Credential Dumping: Proc Filesystem – Adversaries can extract credentials and cached secrets from Linux process memory exposed via the /proc pseudo-filesystem, leveraging files like /proc//maps and /proc//mem to locate cleartext passwords or hashes. Monitoring access to these proc files and scanning process memory usage patterns helps detect and mitigate this technique. #OSCredentialDumping #ProcFilesystem
[T1003.006 ] OS Credential Dumping: DCSync – DCSync abuses domain replication APIs to pull password hashes and sensitive account data directly from a Windows Domain Controller, enabling attackers to forge tickets or take over accounts. #DCSync #CredentialAccess
[T1003.005 ] OS Credential Dumping: Cached Domain Credentials – Adversaries target cached domain credentials stored on endpoints to recover user passwords when domain controllers are unavailable, enabling lateral movement and persistence. Effective defenses include monitoring for credential-dumping tools, protecting and auditing local credential stores, and limiting cache usage. #CredentialDumping #CachedCredentials
[T1003.004 ] OS Credential Dumping: LSA Secrets – Adversaries with SYSTEM privileges can extract sensitive credentials stored as LSA secrets from the Windows registry or memory, enabling lateral movement and persistence. Detecting such activity requires monitoring registry access, suspicious processes, and memory-dumping tools. #LSASecrets #CredentialDumping
[T1003.003 ] OS Credential Dumping: NTDS – Adversaries target the Active Directory database (NTDS.dit) to harvest domain credentials and account metadata, often by copying live files or backups using built-in tools or shadow copies. This enables wide lateral movement and persistent access. #NTDS #CredentialDumping
[T1003.002 ] OS Credential Dumping: Security Account Manager – Adversaries extract password hashes from the Windows Security Account Manager (SAM) by reading the SAM file or registry keys, enabling lateral movement and persistence. Protecting and monitoring access to %SystemRoot%/system32/config/SAM and registry SAM keys reduces risk. #CredentialDumping #SAM
[T1001.003 ] Data Obfuscation: Protocol or Service Impersonation – Adversaries disguise C2 and malicious traffic by impersonating legitimate protocols or web services, making harmful activity blend with normal network flows and evade detection. #DataObfuscation #ProtocolImpersonation
[T1001.002 ] Data Obfuscation: Steganography – Adversaries hide command-and-control or exfiltrated data inside benign-looking files (images, documents, audio) to evade detection and blend with normal traffic. Monitoring unusual file transfers and inspecting content can reveal hidden channels. #Steganography #DataObfuscation
[T1001.001 ] Data Obfuscation: Junk Data – Adversaries insert meaningless or random bytes into command-and-control communications to hide malicious signals and evade simple detection rules. This increases difficulty for signature- and pattern-based inspection and forces defenders to use deeper protocol validation and behavioral analysis. #DataObfuscation #JunkData
[T1003.001 ] OS Credential Dumping: LSASS Memory – Attackers harvest credentials from the LSASS process memory to obtain plaintext and encrypted authentication material for lateral movement and persistence. Monitoring process interactions, command lines, and unusual memory-dump activity helps detect and block these actions. #LSASS #CredentialDumping
[T1003 ] OS Credential Dumping – Adversaries extract passwords and credential material (hashes or cleartext) from operating system memory, caches, and files to gain account access and move laterally within networks. Effective detection and controls reduce unauthorized access and privilege escalation risk. #OSCredentialDumping #CredentialDumping
[T1001 ] Data Obfuscation – Adversaries hide command-and-control traffic by altering, padding, or disguising communications so they blend with normal network activity and evade detection. Detecting this requires inspecting protocol behavior, unusual data flows, and endpoint processes to spot anomalies early. #DataObfuscation #C2Detection