Skill

detecting-t1003-credential-dumping-with-edr

Detects T1003 credential dumping attacks on LSASS, SAM, NTDS.dit, cached creds using EDR telemetry, Sysmon process access, Windows security events. For threat hunting and incident response.

security

npx claudepluginhub killvxk/cybersecurity-skills-zh

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- 狩猎环境中的凭据窃取活动时

Supporting Assets

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.pyscripts/process.py

SKILL.md

Similar Skills

detecting-credential-dumping-with-edr

Detects OS credential dumping techniques like LSASS access, SAM extraction, NTDS, and DCSync using EDR telemetry and Sysmon logs. Useful for threat hunting and incident response in Windows environments.

7 files

cybersecurity-skills-zh

detecting-t1003-credential-dumping-with-edr

5.9k

Detects credential dumping (T1003) targeting LSASS, SAM, NTDS.dit, cached creds via EDR telemetry, Sysmon process access, Windows event correlation. For threat hunting and IR.

7 files

cybersecurity-skills

detecting-t1003-credential-dumping-with-edr

Detects credential dumping attacks (T1003) targeting LSASS memory, SAM, NTDS.dit, cached credentials via EDR telemetry, Sysmon ProcessAccess, Windows events. For threat hunting and incident response.

asi

Stats

Stars10

Forks1

Last CommitMar 17, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

使用 EDR 检测 T1003 凭据转储

适用场景

狩猎环境中的凭据窃取活动时
入侵指标表明攻击者已获得提升权限后
EDR 告警 LSASS 访问或可疑进程内存读取时
事件响应期间确定凭据泄露的范围时
审计 LSASS 保护控制（凭据保护、RunAsPPL）时

前置条件

部署了具备 LSASS 访问监控能力的 EDR agent（CrowdStrike、Defender for Endpoint、SentinelOne）
配置了 LSASS 专属过滤器的 Sysmon 事件 ID 10（ProcessAccess）
Windows 安全事件 ID 4656/4663（对象访问审计）
已启用 LSASS SACL 审计（Windows 10+）
针对 SAM 注册表 hive 访问的注册表审计

工作流程

监控 LSASS 进程访问：追踪所有以可疑访问权限（PROCESS_VM_READ 0x0010、PROCESS_ALL_ACCESS 0x1FFFFF）打开 lsass.exe 句柄的进程。非特权或异常进程访问 LSASS 是强烈指标。
检测凭据转储工具：狩猎已知工具签名——Mimikatz（sekurlsa::logonpasswords）、procdump.exe 针对 LSASS、comsvcs.dll MiniDump，以及任务管理器创建 LSASS 转储。
监控 NTDS.dit 访问：检测创建卷影副本（vssadmin、wmic shadowcopy）后访问 NTDS.dit 文件，或 ntdsutil.exe IFM 创建操作。
追踪 SAM/SECURITY/SYSTEM 注册表 hive 访问：狩猎针对 SAM、SECURITY 和 SYSTEM 注册表 hive 的 reg.exe save 命令。
检测 DCSync 活动：监控非域控制器账户请求目录复制的行为（事件 4662，包含复制 GUID）。
与横向移动关联：凭据转储后攻击者通常进行横向移动。将凭据访问事件与后续的远程登录尝试相关联。
评估影响：确定可能被泄露的凭据范围并启动密码重置。

核心概念

概念	描述
T1003.001	LSASS 内存——从 LSASS 进程转储凭据
T1003.002	安全账户管理器——从 SAM 提取本地账户哈希
T1003.003	NTDS——从 Active Directory 数据库提取域哈希
T1003.004	LSA 机密——提取服务账户密码
T1003.005	缓存域凭据——提取 DCC2 哈希
T1003.006	DCSync——从域控制器复制凭据
凭据保护（Credential Guard）	基于虚拟化的 LSASS 机密隔离
RunAsPPL	LSASS 受保护进程轻量级模式

检测查询

Splunk——LSASS 访问检测

index=sysmon EventCode=10
| where match(TargetImage, "(?i)lsass\.exe$")
| where GrantedAccess IN ("0x1FFFFF", "0x1F3FFF", "0x143A", "0x1F0FFF", "0x0040", "0x1010", "0x1410")
| where NOT match(SourceImage, "(?i)(csrss|lsass|svchost|MsMpEng|WmiPrvSE|taskmgr|procexp|SecurityHealthService)\.exe$")
| table _time Computer SourceImage SourceProcessId GrantedAccess CallTrace

Splunk——凭据转储工具检测

index=sysmon EventCode=1
| where match(CommandLine, "(?i)(sekurlsa|lsadump|kerberos::list|crypto::certificates)")
    OR match(CommandLine, "(?i)procdump.*-ma.*lsass")
    OR match(CommandLine, "(?i)comsvcs\.dll.*MiniDump")
    OR match(CommandLine, "(?i)ntdsutil.*\"ac i ntds\".*ifm")
    OR match(CommandLine, "(?i)reg\s+save\s+hklm\\\\(sam|security|system)")
    OR match(CommandLine, "(?i)vssadmin.*create\s+shadow")
| table _time Computer User Image CommandLine ParentImage

KQL——Microsoft Defender for Endpoint

DeviceEvents
| where Timestamp > ago(7d)
| where ActionType in ("LsassAccess", "CredentialDumpingActivity")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
    InitiatingProcessCommandLine, ActionType, AdditionalFields
| sort by Timestamp desc

Sigma 规则——LSASS 凭据转储

title: LSASS Memory Credential Dumping Attempt
status: stable
logsource:
    product: windows
    category: process_access
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        GrantedAccess|contains:
            - '0x1FFFFF'
            - '0x1F3FFF'
            - '0x143A'
            - '0x0040'
    filter:
        SourceImage|endswith:
            - '\csrss.exe'
            - '\lsass.exe'
            - '\MsMpEng.exe'
            - '\svchost.exe'
    condition: selection and not filter
level: critical
tags:
    - attack.credential_access
    - attack.t1003.001

常见场景

Mimikatz sekurlsa：通过 sekurlsa::logonpasswords 直接读取 LSASS 内存，提取明文密码、NTLM 哈希和 Kerberos 票据。
ProcDump LSASS：procdump.exe -ma lsass.exe lsass.dmp 创建内存转储供离线凭据提取。
Comsvcs.dll MiniDump：rundll32.exe comsvcs.dll MiniDump [LSASS_PID] dump.bin full 利用内置 Windows DLL 转储 LSASS。
NTDS.dit 提取：创建卷影副本并复制 NTDS.dit + SYSTEM hive，使用 secretsdump 进行离线域哈希提取。
SAM 注册表 hive 导出：reg save HKLM\SAM sam.save 结合 reg save HKLM\SYSTEM system.save 进行本地账户哈希提取。
任务管理器转储：在任务管理器中右键点击 LSASS 创建内存转储——合法工具被滥用于凭据窃取。

输出格式

Hunt ID: TH-CRED-[DATE]-[SEQ]
Host: [主机名]
Dumping Method: [LSASS_Access/NTDS/SAM/DCSync]
Source Process: [使用的工具或进程]
Target: [LSASS/NTDS.dit/SAM/SECURITY]
Access Rights: [授予的访问掩码]
User Context: [执行转储的账户]
ATT&CK Technique: [T1003.00x]
Risk Level: [Critical/High/Medium]
Credentials at Risk: [影响范围评估]