Simple play icon Course
Skills

Volt Typhoon: T1003.003 Credential Dumping Emulation

by Matthew Lloyd Davies

Explore how Volt Typhoon created a copy of the Active Directory domain database in a critical infrastructure network in order to steal credential information.

What you'll learn

Adversaries often seek to extract user credentials, typically in the form of hashes or plaintext passwords, from operating systems and software. These credentials can then be used to facilitate lateral movement within a network and gain access to sensitive information. Volt Typhoon used a number of techniques to obtain credentials, including extracting them from process memory and stealing Active Directory databases (NTDS). In this course, Volt Typhoon: T1003.003 Credential Dumping Emulation, you’ll focus on how Volt Typhoon created a volume shadow copy and extracted the bootkey from the system registry hive to extract password hashes from NTDS.

Table of contents

About the author

Matt is a cyber security author and researcher here at Pluralsight. A certified penetration tester and incident handler, he created Pluralsight's CompTIA Pentest+ Specialized Attacks courses as well our courses on wireless, ICS/OT and hardware hacking. Matt has also helped to build our security labs portfolio; labs that help you get hands-on to understand the threats and vulnerabilities your organization faces today. With a background in Chemical Engineering, Matt's focus is on the security ... more

Ready to upskill? Get started