Incident Analysis: Credential Access

snaggletooth · November 25, 2025, 3:58am

Hi Team,

I need to raise awareness regarding the following question:

What is the name of the parent technique of the sub-technique T1543.003 Windows Service? Answer only with the name - do not include the technique identifier.

The answer required has the following format:
•• •••••••••• •••••••

The answer to this question I would call out as being incorrect.
T1543.003 is not even part of Credential Access TA0006.

The answer to this question wants it to be “OS Credential Dumping” and when one looks at all of the sub-techniques of this particular one, you will only find the following:
LSASS MEMORY
Security Account Manager
NTDS
LSA Secrets
Cached Domain Credentials
DCSync
Proc Filesystem
/etc/passwd and /etc/shadow

so, you can see that the answer to the question asked is totally incorrect.
My theory is that this question was copied from another track and incorrectly associated with the answer.

Sir_A3XN · November 25, 2025, 3:42pm

I have not done this challenge but in my experience… many times the dots “…” they are hidden: the answer is longer

Check Number of Characters

CalmQuail2332 · November 25, 2025, 4:02pm

I’m pretty sure that’s what happened as well. The answer was correct, but the question was not. This has been fixed.