mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 13:39:40 +03:00
71 lines
2.2 KiB
Markdown
71 lines
2.2 KiB
Markdown
# Detailed Hunting Workflow - T1003 Credential Dumping
|
|
|
|
## Phase 1: LSASS Memory Access Detection
|
|
|
|
### Step 1.1 - Sysmon Event 10 Analysis
|
|
```spl
|
|
index=sysmon EventCode=10
|
|
| where match(TargetImage, "(?i)lsass\.exe$")
|
|
| where NOT match(SourceImage, "(?i)(csrss|lsass|svchost|MsMpEng|WmiPrvSE|SecurityHealthService|smartscreen)\.exe$")
|
|
| stats count values(GrantedAccess) as access_masks by SourceImage Computer
|
|
| sort -count
|
|
```
|
|
|
|
### Step 1.2 - EDR LSASS Alerts
|
|
```kql
|
|
AlertInfo
|
|
| where Title has_any ("LSASS", "credential", "Mimikatz")
|
|
| join AlertEvidence on AlertId
|
|
| project Timestamp, Title, DeviceName, FileName, ProcessCommandLine
|
|
```
|
|
|
|
## Phase 2: Credential Tool Detection
|
|
|
|
### Step 2.1 - Known Tool Command Lines
|
|
```spl
|
|
index=sysmon EventCode=1
|
|
| where match(CommandLine, "(?i)(sekurlsa|lsadump|kerberos::list|crypto::certificates|privilege::debug)")
|
|
OR match(OriginalFileName, "(?i)mimikatz")
|
|
OR (match(CommandLine, "(?i)procdump") AND match(CommandLine, "(?i)lsass"))
|
|
OR match(CommandLine, "(?i)comsvcs.*MiniDump")
|
|
| table _time Computer User Image CommandLine Hashes
|
|
```
|
|
|
|
### Step 2.2 - NTDS.dit Extraction
|
|
```spl
|
|
index=sysmon EventCode=1
|
|
| where match(CommandLine, "(?i)(vssadmin.*create\s+shadow|wmic\s+shadowcopy|ntdsutil.*ifm|esentutl.*ntds)")
|
|
| table _time Computer User CommandLine ParentImage
|
|
```
|
|
|
|
### Step 2.3 - Registry Hive Export
|
|
```spl
|
|
index=sysmon EventCode=1
|
|
| where match(CommandLine, "(?i)reg\s+(save|export)\s+hklm\\\\(sam|security|system)")
|
|
| table _time Computer User CommandLine
|
|
```
|
|
|
|
## Phase 3: Post-Dump Lateral Movement
|
|
|
|
### Step 3.1 - Pass-the-Hash Detection
|
|
```spl
|
|
index=wineventlog EventCode=4624 LogonType=9
|
|
| where AuthenticationPackageName="Negotiate"
|
|
| table _time TargetUserName IpAddress WorkstationName LogonProcessName
|
|
```
|
|
|
|
### Step 3.2 - Suspicious Remote Logons After Dump
|
|
```spl
|
|
index=wineventlog EventCode=4624 LogonType=3
|
|
| where _time > [credential_dump_timestamp]
|
|
| stats count by TargetUserName IpAddress WorkstationName
|
|
| sort -count
|
|
```
|
|
|
|
## Phase 4: Response Actions
|
|
1. Isolate affected endpoints
|
|
2. Reset ALL credentials that were potentially on compromised systems
|
|
3. Rotate KRBTGT if domain-level compromise suspected
|
|
4. Enable Credential Guard and RunAsPPL
|
|
5. Deploy ASR rules for LSASS protection
|