Skill

detecting-credential-dumping-techniques

Detects LSASS credential dumping, SAM extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules for threat hunting and SOC analysis.

Python

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Credential dumping (MITRE ATT&CK T1003) is a post-exploitation technique where adversaries extract authentication credentials from OS memory, registry hives, or domain controller databases. This skill covers detection of LSASS memory access via Sysmon Event ID 10 (ProcessAccess), SAM registry hive export via reg.exe, NTDS.dit extraction via ntdsutil/vssadmin, and comsvcs.dll MiniDump abuse. Det...

Supporting Assets

LICENSESKILL.es.mdreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Detecting Credential Dumping Techniques

Overview

When to Use

When investigating security incidents that require detecting credential dumping techniques
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Sysmon v14+ deployed with ProcessAccess logging (Event ID 10) for lsass.exe
Windows Security audit policy enabling process creation (Event ID 4688) with command line logging
Splunk or Elastic SIEM ingesting Sysmon and Windows Security logs
Python 3.8+ for log analysis

Steps

Configure Sysmon to log ProcessAccess events targeting lsass.exe
Forward Sysmon Event ID 10 and Windows Event ID 4688 to SIEM
Create detection rules for known GrantedAccess patterns (0x1010, 0x1FFFFF)
Detect comsvcs.dll MiniDump and procdump.exe targeting LSASS PID
Alert on reg.exe SAM/SECURITY/SYSTEM hive export commands
Detect ntdsutil/vssadmin shadow copy creation for NTDS.dit theft
Correlate detections with user/host context for risk scoring

Expected Output

JSON report containing detected credential dumping indicators with technique classification, severity ratings, process details, MITRE ATT&CK mapping, and Splunk/Elastic detection queries.