APromptRiskDBThreat intelligence atlas
AI Security Technique

OS Credential Dumping - AI Security Technique

Adversaries may extract credentials from OS caches, application memory, or other sources on a compromised system. Credentials are often in the form of a hash or clear text, and can include usernames and passwords, application tokens, or other authentication keys. Credentials can be used to perform Lateral Movement to access other AI services such as AI agents, LLMs, or AI inference APIs. Cre...

View mitigationsRead context
AI Security TechniquedemonstratedCredential Access

Record summary

A quick snapshot of what this page covers.

Tactics1Attacker goals connected to this method.
Mitigations0Defenses that may help against this attack.
AI risks0Research-backed risks connected to this topic.

Attack context

How this AI attack works in practice.

Adversaries may extract credentials from OS caches, application memory, or other sources on a compromised system. Credentials are often in the form of a hash or clear text, and can include usernames and passwords, application tokens, or other authentication keys.

Credentials can be used to perform Lateral Movement to access other AI services such as AI agents, LLMs, or AI inference APIs. Credentials could also give an adversary access to other software tools and data sources that are part of the AI DevOps lifecycle.

ATLAS ID
AML.T0090
ATT&CK external ID
T1003
Priority score
30
Maturity: demonstrated
Credential Access

Mitigations

Defenses that may help against this attack.

No connected defenses. No defense is connected to this attack in the current data.

Case studies

Examples from public reports and exercises.

AIKatz: Attacking LLM Desktop Applications

exercise
Date2025-01-01

Researchers at Lumia have demonstrated that it is possible to extract authentication tokens from the memory of LLM Desktop Applications. An attacker could then use those tokens to impersonate as the victim to the LLM backed, thereby gaining access to the victim’s conversations as well as the ability to interfere in future conversations. The attacker’s access would allow them the ability to directly inject prompts to change the LLM’s behavior, poison the LLM’s context to have persistent effects, manipulate the user’s conversation history to cover their tracks, and ultimately impact the confidentiality, integrity, and availability of the system. The researchers demonstrated this on Anthropic Claude, Microsoft M365 Copilot, and OpenAI ChatGPT.

Vendor Responses to Responsible Disclosure:

  • Anthropic (HackerOne) - Closed as informational since local attack.
  • Microsoft Security Response Center - Attack doesn’t bypass security boundaries for CVE.
  • OpenAI (BugCrowd) - Closed as informational and noted that it’s up to Microsoft to patch this behavior.

Related risks

Research-backed risks connected to this topic.

No related AI risks. No research risk is connected to this topic in the current data.

Related CVEs

Known software flaws linked to this context.

No related CVEs. No software flaw is connected to this attack in the current data.

Source

Where this page information comes from.