title: OS Credential Dumping
description: Detects NPPSpy service or credential theft through generic IndicatorName.
author: keyboardcrunch
date: 17/03/2021
modified: null
mitre: 
   tactic: Credential Access
   technique: T1003
   subtechnique: null
operating_system: linux
query: RegistryKeyPath ContainsCIS "\Services\NPPSpy" OR IndicatorName In ( "Mimikatz", "CredsReadFromLsass", "LSASSMemoryAccessed", "DumpSAM", "PasswordSniffingViaNetworkProvider" )
false_positives: null
tags: null
references:
   - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md