Add T1003 "OS credential dumping" MITRE technique

cdelafuente-r7 · cdelafuente-r7 · commit 7ce2bdc97954 · 2025-09-09T10:45:46.000+02:00
diff --git a/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb b/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb
@@ -34,7 +34,8 @@ def initialize(info = {})
         'License' => MSF_LICENSE,
         'References' => [
           [ 'URL', 'http://sourceforge.net/projects/smbexec' ],
-          [ 'URL', 'https://www.optiv.com/blog/owning-computers-without-shell-access' ]
+          [ 'URL', 'https://www.optiv.com/blog/owning-computers-without-shell-access' ],
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
         ],
         'Notes' => {
           'Stability' => [CRASH_SAFE],
diff --git a/modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.rb b/modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.rb
@@ -34,7 +34,8 @@ def initialize(info = {})
           # Rapid7 ETR advisory for CVE-2024-24919
           [ 'URL', 'https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/' ],
           # Publication of first proof-of-concept exploit
-          [ 'URL', 'https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/' ]
+          [ 'URL', 'https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/' ],
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
         ]
       )
     )
diff --git a/modules/auxiliary/gather/fortios_vpnssl_traversal_creds_leak.rb b/modules/auxiliary/gather/fortios_vpnssl_traversal_creds_leak.rb
@@ -31,7 +31,8 @@ def initialize(info = {})
           %w[EDB 47288],
           ['URL', 'https://www.fortiguard.com/psirt/FG-IR-18-384'],
           ['URL', 'https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf'],
-          ['URL', 'https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/']
+          ['URL', 'https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/'],
+          ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING]
         ],
         'Author' => [
           'Meh Chang', # discovery and PoC
diff --git a/modules/auxiliary/gather/ldap_passwords.rb b/modules/auxiliary/gather/ldap_passwords.rb
@@ -40,7 +40,8 @@ def initialize(info = {})
         ],
         'References' => [
           ['URL', 'https://blog.xpnsec.com/lapsv2-internals/'],
-          ['URL', 'https://github.com/fortra/impacket/blob/master/examples/GetLAPSPassword.py']
+          ['URL', 'https://github.com/fortra/impacket/blob/master/examples/GetLAPSPassword.py'],
+          ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING]
         ],
         'DisclosureDate' => '2020-07-23',
         'License' => MSF_LICENSE,
diff --git a/modules/auxiliary/gather/qnap_backtrace_admin_hash.rb b/modules/auxiliary/gather/qnap_backtrace_admin_hash.rb
@@ -27,7 +27,8 @@ def initialize(info = {})
         ],
         'References' => [
           ['URL', 'https://seclists.org/fulldisclosure/2017/Feb/2'],
-          ['URL', 'https://en.wikipedia.org/wiki/Binary_search_algorithm']
+          ['URL', 'https://en.wikipedia.org/wiki/Binary_search_algorithm'],
+          ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING]
         ],
         'DisclosureDate' => '2017-01-31',
         'License' => MSF_LICENSE,
diff --git a/modules/auxiliary/gather/qnap_lfi.rb b/modules/auxiliary/gather/qnap_lfi.rb
@@ -36,7 +36,8 @@ def initialize(info = {})
           ['EDB', '48531'],
           ['URL', 'https://infosecwriteups.com/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05'],
           ['URL', 'https://www.qnap.com/en-us/security-advisory/nas-201911-25'],
-          ['URL', 'https://github.com/Imanfeng/QNAP-NAS-RCE']
+          ['URL', 'https://github.com/Imanfeng/QNAP-NAS-RCE'],
+          ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING]
         ],
         'DisclosureDate' => '2019-11-25', # Vendor advisory
         'Actions' => [
diff --git a/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb b/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb
@@ -29,7 +29,8 @@ def initialize(info = {})
         ],
         'References' => [
           ['CVE', '2020-3952'],
-          ['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0006.html']
+          ['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0006.html'],
+          ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING]
         ],
         'DisclosureDate' => '2020-04-09', # Vendor advisory
         'License' => MSF_LICENSE,
diff --git a/modules/auxiliary/gather/windows_secrets_dump.rb b/modules/auxiliary/gather/windows_secrets_dump.rb
@@ -68,6 +68,7 @@ module will fallback to the original implementation, which consists
         ],
         'References' => [
           ['URL', 'https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py'],
+          ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING],
         ],
         'Notes' => {
           'Reliability' => [],
diff --git a/modules/auxiliary/scanner/http/epmp1000_dump_hashes.rb b/modules/auxiliary/scanner/http/epmp1000_dump_hashes.rb
@@ -19,7 +19,8 @@ def initialize(info = {})
         },
         'References' => [
           ['URL', 'http://ipositivesecurity.com/2015/11/28/cambium-epmp-1000-multiple-vulnerabilities/'],
-          ['URL', 'https://support.cambiumnetworks.com/file/476262a0256fdd8be0e595e51f5112e0f9700f83']
+          ['URL', 'https://support.cambiumnetworks.com/file/476262a0256fdd8be0e595e51f5112e0f9700f83'],
+          ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING]
         ],
         'Author' => [
           'Karn Ganeshen <KarnGaneshen[at]gmail.com>'
diff --git a/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb b/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb
@@ -32,7 +32,10 @@ def initialize(info = {})
           'Reliability' => UNKNOWN_RELIABILITY,
           'Stability' => UNKNOWN_STABILITY,
           'SideEffects' => UNKNOWN_SIDE_EFFECTS
-        }
+        },
+        'References' => [
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
+        ]
       )
     )
 
diff --git a/modules/exploits/linux/http/terramaster_unauth_rce_cve_2022_24990.rb b/modules/exploits/linux/http/terramaster_unauth_rce_cve_2022_24990.rb
@@ -39,7 +39,8 @@ def initialize(info = {})
           ['CVE', '2022-24989'],
           ['URL', 'https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/'],
           ['URL', 'https://github.com/0xf4n9x/CVE-2022-24990'],
-          ['URL', 'https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990']
+          ['URL', 'https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990'],
+          ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING]
         ],
         'DisclosureDate' => '2022-03-07',
         'Platform' => ['unix', 'linux'],
diff --git a/modules/post/aix/hashdump.rb b/modules/post/aix/hashdump.rb
@@ -21,7 +21,10 @@ def initialize(info = {})
           'Stability' => [CRASH_SAFE],
           'SideEffects' => [],
           'Reliability' => []
-        }
+        },
+        'References' => [
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
+        ]
       )
     )
   end
diff --git a/modules/post/android/gather/hashdump.rb b/modules/post/android/gather/hashdump.rb
@@ -30,6 +30,7 @@ def initialize(info = {})
         'References' => [
           ['URL', 'https://www.pentestpartners.com/security-blog/cracking-android-passwords-a-how-to/'],
           ['URL', 'https://hashcat.net/forum/thread-2202.html'],
+          ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING],
         ],
         'Notes' => {
           'Stability' => [CRASH_SAFE],
diff --git a/modules/post/bsd/gather/hashdump.rb b/modules/post/bsd/gather/hashdump.rb
@@ -22,7 +22,10 @@ def initialize(info = {})
           'Stability' => [CRASH_SAFE],
           'SideEffects' => [],
           'Reliability' => []
-        }
+        },
+        'References' => [
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
+        ]
       )
     )
   end
diff --git a/modules/post/linux/gather/f5_loot_mcp.rb b/modules/post/linux/gather/f5_loot_mcp.rb
@@ -28,6 +28,7 @@ def initialize(info = {})
           ['URL', 'https://github.com/rbowes-r7/refreshing-mcp-tool'], # Original PoC
           ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'],
           ['URL', 'https://support.f5.com/csp/article/K97843387'],
+          ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING],
         ],
         'DisclosureDate' => '2022-11-16',
         'Notes' => {
diff --git a/modules/post/linux/gather/hashdump.rb b/modules/post/linux/gather/hashdump.rb
@@ -21,7 +21,10 @@ def initialize(info = {})
           'Stability' => [CRASH_SAFE],
           'SideEffects' => [],
           'Reliability' => []
-        }
+        },
+        'References' => [
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
+        ]
       )
     )
   end
diff --git a/modules/post/linux/gather/manageengine_password_manager_creds.rb b/modules/post/linux/gather/manageengine_password_manager_creds.rb
@@ -39,7 +39,8 @@ def initialize(info = {})
         ],
         'References' => [
           [ 'URL', 'https://www.trustedsec.com/blog/the-curious-case-of-the-password-database/' ],
-          [ 'URL', 'https://github.com/trustedsec/Zoinks/blob/main/zoinks.py' ]
+          [ 'URL', 'https://github.com/trustedsec/Zoinks/blob/main/zoinks.py' ],
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
         ],
         'Notes' => {
           'Stability' => [ CRASH_SAFE ],
diff --git a/modules/post/linux/gather/mimipenguin.rb b/modules/post/linux/gather/mimipenguin.rb
@@ -37,7 +37,8 @@ def initialize(info = {})
           [ 'URL', 'https://github.com/huntergregal/mimipenguin' ],
           [ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1772919' ],
           [ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1717490' ],
-          [ 'CVE', '2018-20781' ]
+          [ 'CVE', '2018-20781' ],
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
         ],
         'DisclosureDate' => '2018-05-23',
         'DefaultTarget' => 0,
diff --git a/modules/post/linux/gather/openvpn_credentials.rb b/modules/post/linux/gather/openvpn_credentials.rb
@@ -27,7 +27,8 @@ def initialize(info = {})
         'Platform' => ['linux'],
         'SessionTypes' => ['shell', 'meterpreter'],
         'References' => [
-          ['URL', 'https://gist.github.com/rvrsh3ll/cc93a0e05e4f7145c9eb#file-openvpnscraper-sh']
+          ['URL', 'https://gist.github.com/rvrsh3ll/cc93a0e05e4f7145c9eb#file-openvpnscraper-sh'],
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
         ],
         'Notes' => {
           'Stability' => [CRASH_SAFE],
diff --git a/modules/post/linux/gather/vcenter_secrets_dump.rb b/modules/post/linux/gather/vcenter_secrets_dump.rb
@@ -57,7 +57,8 @@ def initialize(info = {})
           [ 'URL', 'https://github.com/shmilylty/vhost_password_decrypt' ],
           [ 'CVE', '2022-22948' ],
           [ 'URL', 'https://pentera.io/blog/information-disclosure-in-vmware-vcenter/' ],
-          [ 'URL', 'https://github.com/ErikWynter/metasploit-framework/blob/vcenter_gather_postgresql/modules/post/multi/gather/vmware_vcenter_gather_postgresql.rb' ]
+          [ 'URL', 'https://github.com/ErikWynter/metasploit-framework/blob/vcenter_gather_postgresql/modules/post/multi/gather/vmware_vcenter_gather_postgresql.rb' ],
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
         ],
         'Notes' => {
           'Stability' => [ CRASH_SAFE ],
diff --git a/modules/post/osx/gather/hashdump.rb b/modules/post/osx/gather/hashdump.rb
@@ -35,7 +35,10 @@ def initialize(info = {})
           'Stability' => [CRASH_SAFE],
           'SideEffects' => [],
           'Reliability' => []
-        }
+        },
+        'References' => [
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
+        ]
       )
     )
     register_options([
diff --git a/modules/post/solaris/gather/hashdump.rb b/modules/post/solaris/gather/hashdump.rb
@@ -23,7 +23,10 @@ def initialize(info = {})
           'Stability' => [CRASH_SAFE],
           'SideEffects' => [],
           'Reliability' => []
-        }
+        },
+        'References' => [
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
+        ]
       )
     )
   end
diff --git a/modules/post/windows/gather/cachedump.rb b/modules/post/windows/gather/cachedump.rb
@@ -26,7 +26,8 @@ def initialize(info = {})
         'Platform' => ['win'],
         'SessionTypes' => ['meterpreter'],
         'References' => [
-          ['URL', 'https://web.archive.org/web/20220407023137/https://lab.mediaservice.net/code/cachedump.rb']
+          ['URL', 'https://web.archive.org/web/20220407023137/https://lab.mediaservice.net/code/cachedump.rb'],
+          ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING]
         ],
         'Notes' => {
           'Stability' => [CRASH_SAFE],
diff --git a/modules/post/windows/gather/credentials/credential_collector.rb b/modules/post/windows/gather/credentials/credential_collector.rb
@@ -30,7 +30,10 @@ def initialize(info = {})
               priv_passwd_get_sam_hashes
             ]
           }
-        }
+        },
+        'References' => [
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
+        ]
       )
     )
   end
diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb
@@ -40,7 +40,10 @@ def initialize(info = {})
               stdapi_fs_stat
             ]
           }
-        }
+        },
+        'References' => [
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
+        ]
       )
     )
     deregister_options('SMBUser', 'SMBPass', 'SMBDomain')
diff --git a/modules/post/windows/gather/credentials/enum_cred_store.rb b/modules/post/windows/gather/credentials/enum_cred_store.rb
@@ -37,7 +37,10 @@ def initialize(info = {})
               stdapi_sys_process_memory_write
             ]
           }
-        }
+        },
+        'References' => [
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
+        ]
       )
     )
   end
diff --git a/modules/post/windows/gather/credentials/enum_laps.rb b/modules/post/windows/gather/credentials/enum_laps.rb
@@ -42,7 +42,10 @@ def initialize(info = {})
               stdapi_net_resolve_hosts
             ]
           }
-        }
+        },
+        'References' => [
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
+        ]
       )
     )
 

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,8 @@ def initialize(info = {})`
`34`	`34`	`# Rapid7 ETR advisory for CVE-2024-24919`
`35`	`35`	`[ 'URL', 'https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/' ],`
`36`	`36`	`# Publication of first proof-of-concept exploit`
`37`		`- [ 'URL', 'https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/' ]`
	`37`	`+ [ 'URL', 'https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/' ],`
	`38`	`+ [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]`
`38`	`39`	`]`
`39`	`40`	`)`
`40`	`41`	`)`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,10 @@ def initialize(info = {})`
`32`	`32`	`'Reliability' => UNKNOWN_RELIABILITY,`
`33`	`33`	`'Stability' => UNKNOWN_STABILITY,`
`34`	`34`	`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
`35`		`- }`
	`35`	`+ },`
	`36`	`+ 'References' => [`
	`37`	`+ [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]`
	`38`	`+ ]`
`36`	`39`	`)`
`37`	`40`	`)`
`38`	`41`