Featured resource
pluralsight tech forecast
2025 Tech Forecast

Which technologies will dominate in 2025? And what skills do you need to keep up?

Check it out
Hamburger Icon
  • Course
    • Libraries: If you want this course, consider one of these libraries.
    • Security

Volt Typhoon: T1003.003 Credential Dumping Emulation

Explore how Volt Typhoon created a copy of the Active Directory domain database in a critical infrastructure network in order to steal credential information.

Matthew Lloyd Davies - Pluralsight course - Volt Typhoon: T1003.003 Credential Dumping Emulation
by Matthew Lloyd Davies

What you'll learn

Adversaries often seek to extract user credentials, typically in the form of hashes or plaintext passwords, from operating systems and software. These credentials can then be used to facilitate lateral movement within a network and gain access to sensitive information. Volt Typhoon used a number of techniques to obtain credentials, including extracting them from process memory and stealing Active Directory databases (NTDS). In this course, Volt Typhoon: T1003.003 Credential Dumping Emulation, you’ll focus on how Volt Typhoon created a volume shadow copy and extracted the bootkey from the system registry hive to extract password hashes from NTDS.

Table of contents

About the author

Matthew Lloyd Davies - Pluralsight course - Volt Typhoon: T1003.003 Credential Dumping Emulation
Matthew Lloyd Davies

Matt has a degree in Chemical engineering and a PhD in mathematical chemistry. He is also a GIAC certified incident handler and penetration tester and has regulated cyber security in the UK civil nuclear sector for many years.

More Courses by Matthew