菜单
Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
Extract DPAPI-protected secrets such as credentials and browser data offline and online.
Take over Active Directory user and computer accounts by writing alternate certificate keys to msDS-KeyCredentialLink (Shadow Credentials) with pyWhisker, Whisker, and Certipy, then authenticate via PKINIT.
Test vector stores for embedding inversion, cross-tenant leakage, and poisoning.
Enumerate Entra ID with ROADrecon and acquire and exchange tokens with roadtx.
Run OAuth 2.0 device-code and illicit-consent phishing against Microsoft Entra ID to steal access and refresh tokens, bypass MFA, and pivot across Microsoft 365 services.
Run Microsoft Entra ID tenant reconnaissance, token acquisition and manipulation, and federation backdoor testing with the AADInternals PowerShell toolkit to validate identity-attack resilience.
| name | detecting-t1003-credential-dumping-with-edr |
| description | Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation. |
| domain | cybersecurity |
| subdomain | threat-hunting |
| tags | ["threat-hunting","credential-dumping","lsass","mitre-t1003","edr","mimikatz","ntds","sam-database"] |
| version | 1.0 |
| author | mahipal |
| license | Apache-2.0 |
| d3fend_techniques | ["Token Binding","Execution Isolation","File Metadata Consistency Validation","Restore Access","Application Protocol Command Analysis"] |
| nist_csf | ["DE.CM-01","DE.AE-02","DE.AE-07","ID.RA-05"] |
| mitre_attack | ["T1003.001","T1003.002","T1003.003","T1003.006"] |
| mitre_f3 | {"version":"1.1","tactics":["reconnaissance","positioning","initial-access"],"techniques":[{"id":"T1555","name":"Credentials from Password Stores","tactic":"reconnaissance","source":"attack"},{"id":"T1555.003","name":"Credentials from Password Stores: Credentials from Web Browsers","tactic":"reconnaissance","source":"attack"},{"id":"T1539","name":"Steal Web Session Cookie","tactic":"positioning","source":"attack"},{"id":"F1006","name":"Account Takeover","tactic":"initial-access","source":"f3"},{"id":"F1006.002","name":"Account Takeover: Exposed Login Credential","tactic":"initial-access","source":"f3"}]} |
| Concept | Description |
|---|---|
| T1003.001 | LSASS Memory -- dumping credentials from LSASS process |
| T1003.002 | Security Account Manager -- extracting local account hashes from SAM |
| T1003.003 | NTDS -- extracting domain hashes from Active Directory database |
| T1003.004 | LSA Secrets -- extracting service account passwords |
| T1003.005 | Cached Domain Credentials -- extracting DCC2 hashes |
| T1003.006 | DCSync -- replicating credentials from domain controller |
| Credential Guard | Virtualization-based isolation of LSASS secrets |
| RunAsPPL | Protected Process Light for LSASS |
index=sysmon EventCode=10
| where match(TargetImage, "(?i)lsass\.exe$")
| where GrantedAccess IN ("0x1FFFFF", "0x1F3FFF", "0x143A", "0x1F0FFF", "0x0040", "0x1010", "0x1410")
| where NOT match(SourceImage, "(?i)(csrss|lsass|svchost|MsMpEng|WmiPrvSE|taskmgr|procexp|SecurityHealthService)\.exe$")
| table _time Computer SourceImage SourceProcessId GrantedAccess CallTrace
index=sysmon EventCode=1
| where match(CommandLine, "(?i)(sekurlsa|lsadump|kerberos::list|crypto::certificates)")
OR match(CommandLine, "(?i)procdump.*-ma.*lsass")
OR match(CommandLine, "(?i)comsvcs\.dll.*MiniDump")
OR match(CommandLine, "(?i)ntdsutil.*\"ac i ntds\".*ifm")
OR match(CommandLine, "(?i)reg\s+save\s+hklm\\\\(sam|security|system)")
OR match(CommandLine, "(?i)vssadmin.*create\s+shadow")
| table _time Computer User Image CommandLine ParentImage
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType in ("LsassAccess", "CredentialDumpingActivity")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
InitiatingProcessCommandLine, ActionType, AdditionalFields
| sort by Timestamp desc
title: LSASS Memory Credential Dumping Attempt
status: stable
logsource:
product: windows
category: process_access
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess|contains:
- '0x1FFFFF'
- '0x1F3FFF'
- '0x143A'
- '0x0040'
filter:
SourceImage|endswith:
- '\csrss.exe'
- '\lsass.exe'
- '\MsMpEng.exe'
- '\svchost.exe'
condition: selection and not filter
level: critical
tags:
- attack.credential_access
- attack.t1003.001
sekurlsa::logonpasswords to extract plaintext passwords, NTLM hashes, and Kerberos tickets.procdump.exe -ma lsass.exe lsass.dmp creating a memory dump for offline credential extraction.rundll32.exe comsvcs.dll MiniDump [LSASS_PID] dump.bin full using a built-in Windows DLL for LSASS dumping.reg save HKLM\SAM sam.save followed by reg save HKLM\SYSTEM system.save for local account hash extraction.Hunt ID: TH-CRED-[DATE]-[SEQ]
Host: [Hostname]
Dumping Method: [LSASS_Access/NTDS/SAM/DCSync]
Source Process: [Tool or process used]
Target: [LSASS/NTDS.dit/SAM/SECURITY]
Access Rights: [Granted access mask]
User Context: [Account performing the dump]
ATT&CK Technique: [T1003.00x]
Risk Level: [Critical/High/Medium]
Credentials at Risk: [Scope assessment]