# Credential Dumping

**ATT\&CK ID:** [T1003](https://attack.mitre.org/techniques/T1003/)

**Description**

Adversaries could attempt to extract credentials and account hashes from various areas of the Operating System. Clear-text passwords and hashes can be used by adversaries to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) in the environment.

## Sub Techniques

### T1003.001: LSASS Memory

{% content-ref url="credential-dumping/lsass-memory" %}
[lsass-memory](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/credential-access/credential-dumping/lsass-memory)
{% endcontent-ref %}

### T1003.002: Security Account Manager (SAM)

{% content-ref url="credential-dumping/security-account-manager-sam" %}
[security-account-manager-sam](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/credential-access/credential-dumping/security-account-manager-sam)
{% endcontent-ref %}

### T1003.003: NTDS

{% content-ref url="credential-dumping/ntds" %}
[ntds](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/credential-access/credential-dumping/ntds)
{% endcontent-ref %}

### T1003.004: LSA Secrets

{% content-ref url="credential-dumping/lsa-secrets" %}
[lsa-secrets](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/credential-access/credential-dumping/lsa-secrets)
{% endcontent-ref %}

### T1003.005: Cached Domain Credentials

{% content-ref url="credential-dumping/cached-domain-credentials" %}
[cached-domain-credentials](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/credential-access/credential-dumping/cached-domain-credentials)
{% endcontent-ref %}

### T1003.006: DCSync

{% content-ref url="credential-dumping/dcsync" %}
[dcsync](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/credential-access/credential-dumping/dcsync)
{% endcontent-ref %}