// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE PUB-ENTDTG 0600Z
ColdReconTechniquesT1003
Technique T1003

OS Credential Dumping

CLEARED FOR PUBLIC RELEASE · OPEN-SOURCE INTELLIGENCE
OS Credential Dumping (T1003) — a Credential Access technique, observed in public incident reporting.
MITRE ATT&CKT1003
TacticCredential Access
Incidents on file7

Detection & mitigation

Monitor for suspicious access to LSASS process memory, such as via suspicious process handles or unusual process injections, using Sysmon Event ID 10 (ProcessAccess) with target LSASS.exe. Mitigate by enabling Credential Guard, enforcing LSA protection, and restricting administrative privileges to limit credential dumping tools.

Track this in real time.

ColdRecon watches the public signal so you don't have to — a daily brief and a live detection-coverage desk. Request clearance.

Request Clearance →