Credential Theft: Expanding Your Reach, Pt. II
ATT&CK techniques detected
T1003.003NTDS
96%
"credential theft : expanding your reach, pt. ii as a follow - on to our previous blog post of the same title, sans the “ pt. ii, ” we wanted to illustrate the myriad of techniques behind the “ credential theft ” tactic, showing what many of them look like. this way, those with di…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1003.001LSASS Memory
32%
"leave the same artifacts in the windows event log as attaching, copying, and detaching the database. on another server within the same environment, the following processes were observed : print / d : c : \ temp \ saaas. i \ \ localhost \ c $ \ @ gmt - 2025. 04. 05 - 10. 53. 33 \ …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
As with many tactics within the MITRE ATT&CK framework, credential theft consists of a number of different techniques. Showing what many of them look like on an endpoint helps other security professionals understand what to look for and how to detect and respond to similar activity.