Protecting against OS Credential Dumping

You may have heard about OS Credential Dumping during a penetration test or in the news, and now you may want to learn how to protect yourself from it.

What is OS Credential Dumping?

OS Credential Dumping is a technique used by attackers to extract authentication credentials from operating systems. The credentials may include:

• Plaintext passwords
• Password hashes
• Kerberos tickets
• Other authentication tokens stored in memory or on disk

This technique is commonly used during post-exploitation phases of a cyberattack to escalate privileges, maintain persistence, or facilitate lateral movement within a network.

How Does OS Credential Dumping Work?

Operating systems, especially Windows, store credentials in various locations for authentication purposes. Attackers target these locations using specialized tools or scripts to extract sensitive information.

Common Sources of Credentials in Windows:

LSASS Process:

• The Local Security Authority Subsystem Service (LSASS) process in Windows stores credentials in memory for active sessions.