creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-10 21:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
757f1c8eae4e288d20f7dfde7f7a42a4d30cffc7
Anthropic-Cybersecurity-Skills/skills/detecting-credential-dumping-techniques/references/api-reference.md
T
mukul975 757f1c8eae Add 5 new cybersecurity skills with full implementations 
- implementing-vulnerability-management-with-greenbone: python-gvm GMP API, scan task creation, XML report parsing
- detecting-email-account-compromise: Microsoft Graph inbox rules, impossible travel detection, OAuth grant analysis
- performing-threat-intelligence-sharing-with-misp: PyMISP event creation, attribute management, sharing validation
- analyzing-cobaltstrike-malleable-c2-profiles: dissect.cobaltstrike C2Profile parsing, Suricata rule generation
- hunting-for-registry-run-key-persistence: Sysmon Event 13 analysis, T1547.001 detection, Sigma rule generation
2026-03-11 00:41:59 +01:00

2.7 KiB
Raw Blame History

Credential Dumping Detection API Reference

Sysmon Event ID 10 - ProcessAccess

Key Fields

SourceImage       - Process accessing LSASS
SourceProcessId   - PID of accessing process
TargetImage       - Should be C:\Windows\System32\lsass.exe
GrantedAccess     - Access rights bitmask
CallTrace         - DLL call stack of the access

Suspicious GrantedAccess Values

Value Meaning Tool Association
0x1010 VM_READ + QUERY_LIMITED Mimikatz
0x1410 VM_READ + QUERY_INFO ProcDump
0x1FFFFF PROCESS_ALL_ACCESS Various dumpers
0x1438 VM_READ + QUERY + DUP_HANDLE Cobalt Strike
0x40 DUP_HANDLE only Handle duplication

Sysmon Event ID 1 - Process Creation

Command Line Patterns for Credential Theft

# SAM hive export
reg save hklm\sam C:\temp\sam.hiv
reg save hklm\security C:\temp\security.hiv
reg save hklm\system C:\temp\system.hiv

# comsvcs.dll LSASS dump
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <lsass_pid> dump.bin full

# NTDS.dit extraction
ntdsutil "activate instance ntds" ifm "create full C:\temp"
vssadmin create shadow /for=C:

Splunk SPL Queries

LSASS Access Detection

index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
  GrantedAccess IN ("0x1010","0x1FFFFF","0x1410","0x1438")
  SourceImage!="*\\csrss.exe" SourceImage!="*\\svchost.exe"
| stats count by SourceImage, GrantedAccess, Computer, User
| sort -count

comsvcs.dll MiniDump Detection

index=sysmon EventCode=1
  (CommandLine="*comsvcs*MiniDump*" OR CommandLine="*comsvcs*#24*")
| table _time, Computer, User, ParentImage, CommandLine

SAM/SECURITY Hive Export

index=sysmon EventCode=1 Image="*\\reg.exe"
  (CommandLine="*save*hklm\\sam*" OR CommandLine="*save*hklm\\security*")
| table _time, Computer, User, CommandLine

Elastic / KQL Queries

LSASS Access in Elastic

event.code: "10" AND
  winlog.event_data.TargetImage: *lsass.exe AND
  winlog.event_data.GrantedAccess: ("0x1010" OR "0x1FFFFF")

Process Creation with Credential Theft Commands

event.code: "1" AND
  (process.command_line: *comsvcs*MiniDump* OR
   process.command_line: *reg*save*hklm\\sam*)

MITRE ATT&CK Mapping

Sub-technique ID Detection Method
LSASS Memory T1003.001 Sysmon EID 10 GrantedAccess
Security Account Manager T1003.002 reg.exe save commands
NTDS T1003.003 ntdsutil / vssadmin commands
DCSync T1003.006 Event ID 4662 with replication GUIDs

CLI Usage

# Analyze Sysmon XML export
python agent.py --sysmon-xml sysmon_events.xml --output cred_report.json

# Print Splunk detection queries
python agent.py --show-splunk
Reference in New Issue View Git Blame Copy Permalink