detecting-credential-dumping-techniques

Solid

Detect LSASS credential dumping, SAM database extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
94
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Credential Dumping Techniques ## Overview Credential dumping (MITRE ATT&CK T1003) is a post-exploitation technique where adversaries extract authentication credentials from OS memory, registry hives, or domain controller databases. This skill covers detection of LSASS memory access via Sysmon Event ID 10 (ProcessAccess), SAM registry hive export via reg.exe, NTDS.dit extraction via ntdsutil/vssadmin, and comsvcs.dll MiniDump abuse. Detection rules analyze GrantedAccess bitmasks, suspicious calling processes, and known tool signatures. ## When to Use - When investigating security incidents that require detecting credential dumping techniques - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Sysmon v14+ deployed with ProcessAccess logging (Event ID 10) for lsass.exe - Windows Security audit policy enabling process creation (Event ID 4688) with command line logging - Splunk or Elastic SIEM ingesting Sysmon and Windows Security logs - Python 3.8+ for log analysis ## Steps 1. Configure Sysmon to log ProcessAccess events targeting lsass.exe 2. Forward Sysmon Event ID 10 and Windows Event ID 4688 to SIEM 3. Create detection rules for known GrantedAccess patterns (0x1010, 0x1FFFFF) 4. Detect comsvcs.dll MiniDump and procdump.exe targeting LSASS PID 5. Alert on reg.exe SAM/SECU...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-t1003-credential-dumping-with-edr

Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-privilege-escalation-attempts

Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse across Windows and Linux.

12,642 Updated today
mukul975
AI & Automation Solid

detecting-malicious-scheduled-tasks-with-sysmon

Detect malicious scheduled task creation and modification using Sysmon Event IDs 1 (Process Create for schtasks.exe), 11 (File Create for task XML), and Windows Security Event 4698/4702. The analyst correlates task creation with suspicious parent processes, public directory paths, and encoded command arguments to identify persistence and lateral movement via scheduled tasks. Activates for requests involving scheduled task detection, Sysmon persistence hunting, or T1053.005 Scheduled Task/Job analysis.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-living-off-the-land-with-lolbas

Detect Living Off the Land Binaries (LOLBins/LOLBAS) abuse including certutil, regsvr32, mshta, and rundll32 via process telemetry, Sigma rules, and parent-child process analysis

12,642 Updated today
mukul975
AI & Automation Featured

detecting-living-off-the-land-attacks

Detect abuse of legitimate Windows binaries (LOLBins) used for living off the land attacks. Monitors process creation, command-line arguments, and parent-child relationships to identify suspicious LOLBin execution patterns.

12,642 Updated today
mukul975