mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-26 03:34:37 +03:00
mukul975
1.8 KiB
1.8 KiB
Credential Dumping Hunt Template
Hunt Metadata
| Field | Value |
|---|---|
| Hunt ID | TH-CRED-DUMP-YYYY-MM-DD-NNN |
| Analyst | |
| Date | |
| Status | [ ] In Progress / [ ] Complete |
Hypothesis
[e.g., "Adversaries have used Mimikatz or similar tools to dump LSASS memory on compromised endpoints to harvest domain credentials."]
Target Techniques
- T1003.001 - LSASS Memory
- T1003.002 - SAM Database
- T1003.003 - NTDS.dit
- T1003.004 - LSA Secrets
- T1003.005 - Cached Domain Credentials
- T1003.006 - DCSync
Data Sources
- Sysmon Event ID 10 (Process Access)
- Sysmon Event ID 1 (Process Creation)
- Windows Security 4656/4663
- Windows Security 4662 (DCSync)
- EDR Telemetry: _______________
LSASS Access Findings
| # | Timestamp | Host | User | Source Process | Access Mask | Risk | Verdict |
|---|---|---|---|---|---|---|---|
| 1 | |||||||
| 2 |
Tool Detection Findings
| # | Timestamp | Host | User | Tool | Command Line | Technique | Verdict |
|---|---|---|---|---|---|---|---|
| 1 | |||||||
| 2 |
DCSync Findings
| # | Timestamp | Source Host | User | Replication Right | Is Legitimate DC? | Verdict |
|---|---|---|---|---|---|---|
| 1 |
Compromised Credentials Assessment
| Account | Type | Hash Type | Exposure Scope | Reset Required? |
|---|---|---|---|---|
Recommendations
- Immediate Actions: [Password resets, account lockouts]
- Containment: [Isolate affected systems]
- Detection Improvements: [New rules, LSASS protection]
- Hardening: [Credential Guard, PPL, ASR rules]