Skip to content

Add T1003 "OS credential dumping" MITRE technique reference #20533

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add T1003 "OS credential dumping" MITRE technique reference #20533

wants to merge 2 commits into from
+106 −34

Conversation

cdelafuente-r7
Copy link
Contributor

@cdelafuente-r7 cdelafuente-r7 commented Sep 9, 2025
edited
Loading

This adds the reference to MITRE ATT&CK technique T1003 "OS credential dumping". (see https://attack.mitre.org/techniques/T1003/ for details).

This has been mainly done with the help of AI and local scripts. The process was as follows:

  1. Use both the source code and the documentation for each module in Metasploit.
  2. Filter according to keywords related to the MITRE technique.
  3. Process each module from the filtered list of modules using AI with a specific crafted prompt, the source code and the documentation.
  4. Final manual review.

@cdelafuente-r7 cdelafuente-r7 added the rn-enhancement release notes enhancement label Sep 9, 2025
@cdelafuente-r7 cdelafuente-r7 changed the title Add T1003 "OS credential dumping" MITRE technique Add T1003 "OS credential dumping" MITRE technique reference Sep 9, 2025
@smcintyre-r7 smcintyre-r7 self-assigned this Sep 12, 2025
@smcintyre-r7 smcintyre-r7 moved this from Todo to In Progress in Metasploit Kanban Sep 12, 2025
smcintyre-r7
smcintyre-r7 requested changes Sep 12, 2025
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this was our first time using AI to tag these I wanted to go through and review each of them. I think every module it tagged does indeed fall under the T1003 category; I didn't notice any false positives. While reviewing them I did add subcategories as I thought they were applicable just because I had the info handy. I did not go through modules that were not tagged, to see if there were any false negatives, but I can't think of any off hand that are obviously missing.

modules/auxiliary/admin/smb/psexec_ntdsgrab.rb Outdated
@@ -34,7 +34,8 @@ def initialize(info = {})
'License' => MSF_LICENSE,
'References' => [
[ 'URL', 'http://sourceforge.net/projects/smbexec' ],
[ 'URL', 'https://www.optiv.com/blog/owning-computers-without-shell-access' ]
[ 'URL', 'https://www.optiv.com/blog/owning-computers-without-shell-access' ],
[ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
[ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
[ 'ATT&CK', Mitre::Attack::Technique::T1003_003_NTDS ]

modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.rb Outdated
@@ -34,7 +34,8 @@ def initialize(info = {})
# Rapid7 ETR advisory for CVE-2024-24919
[ 'URL', 'https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/' ],
# Publication of first proof-of-concept exploit
[ 'URL', 'https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/' ]
[ 'URL', 'https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/' ],
[ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
[ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
[ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ]

modules/auxiliary/gather/fortios_vpnssl_traversal_creds_leak.rb Outdated
@@ -31,7 +31,8 @@ def initialize(info = {})
%w[EDB 47288],
['URL', 'https://www.fortiguard.com/psirt/FG-IR-18-384'],
['URL', 'https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf'],
['URL', 'https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/']
['URL', 'https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/'],
['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING]
['ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW]

modules/auxiliary/gather/qnap_lfi.rb Outdated
@@ -36,7 +36,8 @@ def initialize(info = {})
['EDB', '48531'],
['URL', 'https://infosecwriteups.com/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05'],
['URL', 'https://www.qnap.com/en-us/security-advisory/nas-201911-25'],
['URL', 'https://github.com/Imanfeng/QNAP-NAS-RCE']
['URL', 'https://github.com/Imanfeng/QNAP-NAS-RCE'],
['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING]
['ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW]

modules/auxiliary/gather/windows_secrets_dump.rb Outdated
@@ -68,6 +68,7 @@ module will fallback to the original implementation, which consists
],
'References' => [
['URL', 'https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py'],
['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one supports multiple techniques and it's one of the more important examples for each that I think it makes sense to add each one individually.

Suggested change
['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING],
['ATT&CK', Mitre::Attack::Technique::T1003_002_SECURITY_ACCOUNT_MANAGER],
['ATT&CK', Mitre::Attack::Technique::T1003_004_LSA_SECRETS],
['ATT&CK', Mitre::Attack::Technique::T1003_005_CACHED_DOMAIN_CREDENTIALS],
['ATT&CK', Mitre::Attack::Technique::T1003_006_DCSYNC]

modules/post/linux/gather/mimipenguin.rb Outdated
@@ -37,7 +37,8 @@ def initialize(info = {})
[ 'URL', 'https://github.com/huntergregal/mimipenguin' ],
[ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1772919' ],
[ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1717490' ],
[ 'CVE', '2018-20781' ]
[ 'CVE', '2018-20781' ],
[ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
[ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
[ 'ATT&CK', Mitre::Attack::Technique::T1003_007_PROC_FILESYSTEM ],
[ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ]

modules/post/linux/gather/openvpn_credentials.rb Outdated
@@ -27,7 +27,8 @@ def initialize(info = {})
'Platform' => ['linux'],
'SessionTypes' => ['shell', 'meterpreter'],
'References' => [
['URL', 'https://gist.github.com/rvrsh3ll/cc93a0e05e4f7145c9eb#file-openvpnscraper-sh']
['URL', 'https://gist.github.com/rvrsh3ll/cc93a0e05e4f7145c9eb#file-openvpnscraper-sh'],
[ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
[ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
[ 'ATT&CK', Mitre::Attack::Technique::T1003_007_PROC_FILESYSTEM ]

modules/post/solaris/gather/hashdump.rb Outdated
}
},
'References' => [
[ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
[ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
[ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ]

modules/post/windows/gather/cachedump.rb Outdated
@@ -26,7 +26,8 @@ def initialize(info = {})
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'References' => [
['URL', 'https://web.archive.org/web/20220407023137/https://lab.mediaservice.net/code/cachedump.rb']
['URL', 'https://web.archive.org/web/20220407023137/https://lab.mediaservice.net/code/cachedump.rb'],
['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING]
['ATT&CK', Mitre::Attack::Technique::T1003_005_CACHED_DOMAIN_CREDENTIALS]

modules/post/windows/gather/credentials/domain_hashdump.rb Outdated
}
},
'References' => [
[ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
[ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
[ 'ATT&CK', Mitre::Attack::Technique::T1003_003_NTDS ]

@github-project-automation github-project-automation bot moved this from In Progress to Waiting on Contributor in Metasploit Kanban Sep 12, 2025
@smcintyre-r7
Copy link
Contributor

Actually I did find a few that I think should be tagged as well:

@cdelafuente-r7
Copy link
Contributor Author

Thank you @smcintyre-r7. For some reason, some files were not properly processed and I have missing results (like the modules you pointed out). I will correct this and rerun the queries for the missing items. Thank you for pointing this out.

Regarding the sub-techniques, I was under the impression the generic root technique was preferred for search purposes. I can imagine a scenario were a user wants to list all the modules that refer to OS credential dumping, regardless of the actual way to do it. In this case we will need to keep the T1003_OS_CREDENTIAL_DUMPING reference along with the sub-technique? Or maybe I'm wrong and there is an internal mechanism that handle this in Framework without the need to add the root technique reference?

@smcintyre-r7
Copy link
Contributor

The way our search works, you can filter on att&ck:T1003 and it'll pull in all of the sub-techniques too. It won't work locally until the module cache has been rebuilt locally. I just double checked though using the example query of att&ck:T1204 which yields results tagged with T1204.002.

@cdelafuente-r7
Copy link
Contributor Author

Thank you @smcintyre-r7 , it makes sense. I've added a few missing modules and updated the references to use sub-techniques in the last commit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@smcintyre-r7 smcintyre-r7

Labels
rn-enhancement release notes enhancement
Projects
Metasploit Kanban
Status: Waiting on Contributor
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cdelafuente-r7 @smcintyre-r7