T1003

https://attack.mitre.org/techniques/T1003/

sigma:
builtin/application/application_error/win_application_error_lsass_crash.yml:    - attack.t1003.001
builtin/application/esent/win_esent_ntdsutil_abuse.yml:    - attack.t1003.003
builtin/security/win_security_ad_replication_non_machine_account.yml:    - attack.t1003.006
builtin/security/win_security_dcsync.yml:    - attack.t1003.006
builtin/security/win_security_dpapi_domain_backupkey_extraction.yml:    - attack.t1003.004
builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml:    - attack.t1003.004
builtin/security/win_security_impacket_secretdump.yml:    - attack.t1003.002
builtin/security/win_security_impacket_secretdump.yml:    - attack.t1003.004
builtin/security/win_security_impacket_secretdump.yml:    - attack.t1003.003
builtin/security/win_security_lsass_access_non_system_account.yml:    - attack.t1003.001
builtin/security/win_security_mal_creddumper.yml:    - attack.t1003.001
builtin/security/win_security_mal_creddumper.yml:    - attack.t1003.002
builtin/security/win_security_mal_creddumper.yml:    - attack.t1003.004
builtin/security/win_security_mal_creddumper.yml:    - attack.t1003.005
builtin/security/win_security_mal_creddumper.yml:    - attack.t1003.006
builtin/security/win_security_mal_wceaux_dll.yml:    - attack.t1003
builtin/security/win_security_signal_sensitive_config_access.yml:    - attack.t1003
builtin/security/win_security_susp_lsass_dump.yml:    - attack.t1003.001
builtin/security/win_security_susp_lsass_dump_generic.yml:    - attack.t1003.001
builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml:    - attack.t1003.002
builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml:    - attack.t1003.001
builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml:    - attack.t1003.003
builtin/security/win_security_vssaudit_secevent_source_registration.yml:    - attack.t1003.002
builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml:    - attack.t1003.002
builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml:    - attack.t1003.002
builtin/system/microsoft_windows_wer_systemerrorreporting/win_system_crash_dump_created.yml:    - attack.t1003.002
builtin/system/service_control_manager/win_system_mal_creddumper.yml:    - attack.t1003.001
builtin/system/service_control_manager/win_system_mal_creddumper.yml:    - attack.t1003.002
builtin/system/service_control_manager/win_system_mal_creddumper.yml:    - attack.t1003.004
builtin/system/service_control_manager/win_system_mal_creddumper.yml:    - attack.t1003.005
builtin/system/service_control_manager/win_system_mal_creddumper.yml:    - attack.t1003.006
builtin/windefend/win_defender_asr_lsass_access.yml:    - attack.t1003.001
builtin/win_alert_mimikatz_keywords.yml:    - attack.t1003.002
builtin/win_alert_mimikatz_keywords.yml:    - attack.t1003.004
builtin/win_alert_mimikatz_keywords.yml:    - attack.t1003.001
builtin/win_alert_mimikatz_keywords.yml:    - attack.t1003.006
create_remote_thread/create_remote_thread_win_powershell_lsass.yml:    - attack.t1003.001
create_remote_thread/create_remote_thread_win_susp_password_dumper_lsass.yml:    - attack.t1003.001
file/file_access/file_access_win_susp_credential_manager_access.yml:    - attack.t1003
file/file_access/file_access_win_susp_crypto_currency_wallets.yml:    - attack.t1003
file/file_event/file_event_win_cred_dump_tools_dropped_files.yml:    - attack.t1003.001
file/file_event/file_event_win_cred_dump_tools_dropped_files.yml:    - attack.t1003.002
file/file_event/file_event_win_cred_dump_tools_dropped_files.yml:    - attack.t1003.003
file/file_event/file_event_win_cred_dump_tools_dropped_files.yml:    - attack.t1003.004
file/file_event/file_event_win_cred_dump_tools_dropped_files.yml:    - attack.t1003.005
file/file_event/file_event_win_hktl_crackmapexec_indicators.yml:    - attack.t1003.001
file/file_event/file_event_win_hktl_dumpert.yml:    - attack.t1003.001
file/file_event/file_event_win_hktl_quarkspw_filedump.yml:    - attack.t1003.002
file/file_event/file_event_win_hktl_remote_cred_dump.yml:    - attack.t1003
file/file_event/file_event_win_hktl_safetykatz.yml:    - attack.t1003.001
file/file_event/file_event_win_impacket_file_indicators.yml:    - attack.t1003.001
file/file_event/file_event_win_lsass_default_dump_file_names.yml:    - attack.t1003.001
file/file_event/file_event_win_lsass_shtinkering.yml:    - attack.t1003.001
file/file_event/file_event_win_lsass_werfault_dump.yml:    - attack.t1003.001
file/file_event/file_event_win_ntds_dit_creation.yml:    - attack.t1003.003
file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml:    - attack.t1003.003
file/file_event/file_event_win_ntds_dit_uncommon_process.yml:    - attack.t1003.002
file/file_event/file_event_win_ntds_dit_uncommon_process.yml:    - attack.t1003.003
file/file_event/file_event_win_ntds_exfil_tools.yml:    - attack.t1003.003
file/file_event/file_event_win_sam_dump.yml:    - attack.t1003.002
file/file_event/file_event_win_taskmgr_lsass_dump.yml:    - attack.t1003.001
image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml:    - attack.t1003.001
image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml:    - attack.t1003.001
image_load/image_load_dll_tttracer_module_load.yml:    - attack.t1003.001
image_load/image_load_lsass_unsigned_image_load.yml:    - attack.t1003.001
image_load/image_load_win_susp_dbgcore_dbghelp_load.yml:    - attack.t1003
pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml:    - attack.t1003.001
pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml:    - attack.t1003.002
pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml:    - attack.t1003.004
pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml:    - attack.t1003.005
powershell/powershell_module/posh_pm_get_addbaccount.yml:    - attack.t1003.003
powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml:    - attack.t1003.003
powershell/powershell_script/posh_ps_get_adreplaccount.yml:    - attack.t1003.006
powershell/powershell_script/posh_ps_hktl_rubeus.yml:    - attack.t1003
powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml:    - attack.t1003
powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml:    - attack.t1003
powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml:    - attack.t1003.001
process_access/proc_access_win_hktl_generic_access.yml:    - attack.t1003.001
process_access/proc_access_win_hktl_handlekatz_lsass_access.yml:    - attack.t1003.001
process_access/proc_access_win_lsass_dump_comsvcs_dll.yml:    - attack.t1003.001
process_access/proc_access_win_lsass_dump_keyword_image.yml:    - attack.t1003.001
process_access/proc_access_win_lsass_memdump.yml:    - attack.t1003.001
process_access/proc_access_win_lsass_python_based_tool.yml:    - attack.t1003.001
process_access/proc_access_win_lsass_remote_access_trough_winrm.yml:    - attack.t1003.001
process_access/proc_access_win_lsass_seclogon_access.yml:    - attack.t1003.001
process_access/proc_access_win_lsass_susp_access_flag.yml:    - attack.t1003.001
process_access/proc_access_win_lsass_werfault.yml:    - attack.t1003.001
process_access/proc_access_win_lsass_whitelisted_process_names.yml:    - attack.t1003.001
process_access/proc_access_win_susp_dbgcore_dbghelp_load.yml:    - attack.t1003.001
process_creation/proc_creation_win_adplus_memory_dump.yml:    - attack.t1003.001
process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml:    - attack.t1003.001
process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml:    - attack.t1003.005
process_creation/proc_creation_win_cmdkey_recon.yml:    - attack.t1003.005
process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml:    - attack.t1003.002
process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml:    - attack.t1003.003
process_creation/proc_creation_win_createdump_lolbin_execution.yml:    - attack.t1003.001
process_creation/proc_creation_win_dump64_defender_av_bypass_rename.yml:    - attack.t1003.001
process_creation/proc_creation_win_dumpminitool_execution.yml:    - attack.t1003.001
process_creation/proc_creation_win_dumpminitool_susp_execution.yml:    - attack.t1003.001
process_creation/proc_creation_win_esentutl_params.yml:    - attack.t1003
process_creation/proc_creation_win_esentutl_params.yml:    - attack.t1003.003
process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml:    - attack.t1003.002
process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml:    - attack.t1003.003
process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml:    - attack.t1003.001
process_creation/proc_creation_win_hktl_createminidump.yml:    - attack.t1003.001
process_creation/proc_creation_win_hktl_doppelganger.yml:    - attack.t1003.001
process_creation/proc_creation_win_hktl_dumpert.yml:    - attack.t1003.001
process_creation/proc_creation_win_hktl_execution_via_imphashes.yml:    - attack.t1003
process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml:    - attack.t1003
process_creation/proc_creation_win_hktl_handlekatz.yml:    - attack.t1003.001
process_creation/proc_creation_win_hktl_inveigh.yml:    - attack.t1003.001
process_creation/proc_creation_win_hktl_mimikatz_command_line.yml:    - attack.t1003.001
process_creation/proc_creation_win_hktl_mimikatz_command_line.yml:    - attack.t1003.002
process_creation/proc_creation_win_hktl_mimikatz_command_line.yml:    - attack.t1003.004
process_creation/proc_creation_win_hktl_mimikatz_command_line.yml:    - attack.t1003.005
process_creation/proc_creation_win_hktl_mimikatz_command_line.yml:    - attack.t1003.006
process_creation/proc_creation_win_hktl_pypykatz.yml:    - attack.t1003.002
process_creation/proc_creation_win_hktl_quarks_pwdump.yml:    - attack.t1003.002
process_creation/proc_creation_win_hktl_rubeus.yml:    - attack.t1003
process_creation/proc_creation_win_hktl_safetykatz.yml:    - attack.t1003.001
process_creation/proc_creation_win_hktl_wce.yml:    - attack.t1003.001
process_creation/proc_creation_win_hktl_wsass.yml:    - attack.t1003.001
process_creation/proc_creation_win_hktl_xordump.yml:    - attack.t1003.001
process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml:    - attack.t1003
process_creation/proc_creation_win_iis_connection_strings_decryption.yml:    - attack.t1003
process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml:    - attack.t1003.001
process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml:    - attack.t1003.001
process_creation/proc_creation_win_lsass_process_clone.yml:    - attack.t1003
process_creation/proc_creation_win_lsass_process_clone.yml:    - attack.t1003.001
process_creation/proc_creation_win_ntdsutil_susp_usage.yml:    - attack.t1003.003
process_creation/proc_creation_win_ntdsutil_usage.yml:    - attack.t1003.003
process_creation/proc_creation_win_powershell_sam_access.yml:    - attack.t1003.002
process_creation/proc_creation_win_pua_ditsnap.yml:    - attack.t1003.003
process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml:    - attack.t1003.001
process_creation/proc_creation_win_registry_new_network_provider.yml:    - attack.t1003
process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml:    - attack.t1003.002
process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml:    - attack.t1003.004
process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml:    - attack.t1003.005
process_creation/proc_creation_win_reg_open_command.yml:    - attack.t1003
process_creation/proc_creation_win_renamed_createdump.yml:    - attack.t1003.001
process_creation/proc_creation_win_rpcping_credential_capture.yml:    - attack.t1003
process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml:    - attack.t1003.001
process_creation/proc_creation_win_sc_query_interesting_services.yml:    - attack.t1003
process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml:    - attack.t1003.001
process_creation/proc_creation_win_susp_ntds.yml:    - attack.t1003.003
process_creation/proc_creation_win_susp_shadow_copies_creation.yml:    - attack.t1003
process_creation/proc_creation_win_susp_shadow_copies_creation.yml:    - attack.t1003.002
process_creation/proc_creation_win_susp_shadow_copies_creation.yml:    - attack.t1003.003
process_creation/proc_creation_win_susp_system_user_anomaly.yml:    - attack.t1003
process_creation/proc_creation_win_sysinternals_procdump.yml:    - attack.t1003.001
process_creation/proc_creation_win_sysinternals_procdump_evasion.yml:    - attack.t1003.001
process_creation/proc_creation_win_sysinternals_procdump_lsass.yml:    - attack.t1003.001
process_creation/proc_creation_win_tasklist_module_enumeration.yml:    - attack.t1003
process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml:    - attack.t1003.003
process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml:    - attack.t1003.003
process_creation/proc_creation_win_werfaultsecure_abuse.yml:    - attack.t1003.001
process_creation/proc_creation_win_werfault_lsass_shtinkering.yml:    - attack.t1003.001
registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml:    - attack.t1003.002
registry/registry_event/registry_event_hack_wce_reg.yml:    - attack.t1003.001
registry/registry_event/registry_event_silentprocessexit_lsass.yml:    - attack.t1003.001
registry/registry_set/registry_set_lsass_usermode_dumping.yml:    - attack.t1003.001
registry/registry_set/registry_set_new_network_provider.yml:    - attack.t1003
registry/registry_set/registry_set_odbc_driver_registered_susp.yml:    - attack.t1003


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

T1003 #145

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

T1003 #145

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions