TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Credential Theft: Initial Access, Mimikatz & More | Huntress

2025-04-08 · Read original ↗

ATT&CK techniques detected

14 predictions
T1003.001LSASS Memory
100%
“dump the contents of process memory using a command line similar to the following : % comspec % / q / c cmd. exe / q / c for / f " " tokens = 1, 2 delims = " " ^ % a in ( ' " " tasklist / fi " " imagename eq lsass. exe " ", find " " lsass " " " " ' ) do rundll32. exe c : \ window…”
T1003.003NTDS
99%
“add hklm \ system \ currentcontrolset \ control \ securityproviders \ wdigest / v uselogoncredential / t reg _ dword / d 1 / f this command modifies the windows registry and tells the operating system to store credentials in plain text, rather than encrypting them. setting this r…”
T1003.001LSASS Memory
97%
“. threat actors may take this “ shotgun ” approach in an attempt to collect credentials from as many sources as possible, accepting that some may not bear fruit. or, they may target specific content, attempting to copy off the password stores of specific browsers or other applica…”
T1003.002Security Account Manager
97%
“this utility can be used to “ dump ” or save copies of the registry hive files, via a command line such as the following : reg. exe save hklm \ system < path > this command is then repeated for the software and sam registry hives. huntress sees a good bit of this activity deliver…”
T1003.001LSASS Memory
87%
“##adowcopy102 \ this command had not been preceded by a command to create a volume shadow copy ( vsc ), but was instead preceded by a command to list the available vscs. attackers often abuse this legitimate windows feature by creating vscs to access registry hives, so seeing thi…”
T1003OS Credential Dumping
85%
“credential theft : initial access, mimikatz & more | huntress what is credential theft? at its core, credential theft is the unauthorized acquisition of login credentials such as usernames, passwords, or session tokens by a malicious threat actor. threat actors use different mean…”
T1003.003NTDS
81%
“s process parent, can be seen in figure 4. figure 4 : process in huntress portal a similar approach to the one noted above — copying files from a volume shadow copy — has also been observed with respect to the ntds. dit file. finally, it ’ s not unusual for threat actors to emplo…”
T1078Valid Accounts
75%
“credential theft : initial access, mimikatz & more | huntress what is credential theft? at its core, credential theft is the unauthorized acquisition of login credentials such as usernames, passwords, or session tokens by a malicious threat actor. threat actors use different mean…”
T1110Brute Force
60%
“in the mjobtime application highlights the risks of a ' hidden attack surface. ' specifically, a blind sql injection flaw was identified, creating a significant security concern for on - site operations. other examples include remote desktop protocol ( rdp ) and mssql server ; if…”
T1003.002Security Account Manager
55%
“##adowcopy102 \ this command had not been preceded by a command to create a volume shadow copy ( vsc ), but was instead preceded by a command to list the available vscs. attackers often abuse this legitimate windows feature by creating vscs to access registry hives, so seeing thi…”
T1059.003Windows Command Shell
38%
“, made up nearly a quarter of the threats across all observed incidents. figure 2 : frequency of threats, as observed by huntress analysts another means of gaining access to credentials is to run freely available password recovery tools. administrators may be observed running one…”
T1566Phishing
37%
“the user ’ s credentials, or some other means of access. figure 1 : example of phishing email masquerading as a message from docusign another means of gaining access to endpoints used by threat actors is seo poisoning and malicious google ads. threat actors will look for software…”
T1589.001Credentials
37%
“credential theft : initial access, mimikatz & more | huntress what is credential theft? at its core, credential theft is the unauthorized acquisition of login credentials such as usernames, passwords, or session tokens by a malicious threat actor. threat actors use different mean…”
T1566.002Spearphishing Link
32%
“the user ’ s credentials, or some other means of access. figure 1 : example of phishing email masquerading as a message from docusign another means of gaining access to endpoints used by threat actors is seo poisoning and malicious google ads. threat actors will look for software…”

Summary

What is credential theft? Learn how threat actors use phishing, brute force, and tools like Mimikatz or Registry hive dumps to gain initial access and move laterally.