Skill

detecting-credential-dumping-techniques

From asi

Detects LSASS credential dumping, SAM hive extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows Security logs, and SIEM rules. For SOC threat hunting and detection rule building.

Python

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Credential dumping (MITRE ATT&CK T1003) is a post-exploitation technique where adversaries extract authentication credentials from OS memory, registry hives, or domain controller databases. This skill covers detection of LSASS memory access via Sysmon Event ID 10 (ProcessAccess), SAM registry hive export via reg.exe, NTDS.dit extraction via ntdsutil/vssadmin, and comsvcs.dll MiniDump abuse. Det...

SKILL.md

Similar Skills

detecting-credential-dumping-techniques

5.9k

Detects LSASS credential dumping, SAM extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules for threat hunting and SOC analysis.

4 files

cybersecurity-skills

detecting-credential-dumping-techniques

Detects credential dumping attacks like LSASS access via Sysmon Event ID 10, SAM exports, NTDS.dit theft using Windows security logs and SIEM correlation rules. For Windows threat hunting.

3 files

cybersecurity-skills-zh

detecting-t1003-credential-dumping-with-edr

Detects credential dumping attacks (T1003) targeting LSASS memory, SAM, NTDS.dit, cached credentials via EDR telemetry, Sysmon ProcessAccess, Windows events. For threat hunting and incident response.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Detecting Credential Dumping Techniques

Overview

When to Use

When investigating security incidents that require detecting credential dumping techniques

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Sysmon v14+ deployed with ProcessAccess logging (Event ID 10) for lsass.exe

Windows Security audit policy enabling process creation (Event ID 4688) with command line logging

Splunk or Elastic SIEM ingesting Sysmon and Windows Security logs

Python 3.8+ for log analysis

Steps

Configure Sysmon to log ProcessAccess events targeting lsass.exe

Forward Sysmon Event ID 10 and Windows Event ID 4688 to SIEM

Create detection rules for known GrantedAccess patterns (0x1010, 0x1FFFFF)

Detect comsvcs.dll MiniDump and procdump.exe targeting LSASS PID

Alert on reg.exe SAM/SECURITY/SYSTEM hive export commands

Detect ntdsutil/vssadmin shadow copy creation for NTDS.dit theft

Correlate detections with user/host context for risk scoring

Expected Output

JSON report containing detected credential dumping indicators with technique classification, severity ratings, process details, MITRE ATT&CK mapping, and Splunk/Elastic detection queries.