mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 20:55:17 +03:00
91 lines
4.5 KiB
Markdown
91 lines
4.5 KiB
Markdown
---
|
|
name: detecting-credential-dumping-with-edr
|
|
description: Detect OS credential dumping techniques including LSASS access, SAM extraction, and DCSync using EDR telemetry and Sysmon logs.
|
|
domain: cybersecurity
|
|
subdomain: threat-hunting
|
|
tags: [threat-hunting, mitre-attack, credential-dumping, edr, lsass, t1003, proactive-detection]
|
|
version: "1.0"
|
|
author: mahipal
|
|
license: MIT
|
|
---
|
|
|
|
# Detecting Credential Dumping with EDR
|
|
|
|
## When to Use
|
|
|
|
- When hunting for post-exploitation credential theft in compromised environments
|
|
- After detecting suspicious LSASS process access in EDR alerts
|
|
- When investigating potential Active Directory compromise
|
|
- During incident response to determine scope of credential exposure
|
|
- When proactively hunting for T1003 sub-techniques across endpoints
|
|
|
|
## Prerequisites
|
|
|
|
- EDR platform with process access monitoring (CrowdStrike, MDE, SentinelOne)
|
|
- Sysmon deployed with Event ID 10 (Process Access) configured for LSASS
|
|
- Windows Security Event Log 4688 with command-line auditing enabled
|
|
- Active Directory event forwarding for DCSync detection (Event ID 4662)
|
|
- Windows Security Event Log 4656/4663 for SAM registry access
|
|
|
|
## Workflow
|
|
|
|
1. **Identify Credential Dumping Vectors**: Map the T1003 sub-techniques relevant to your environment (LSASS Memory, SAM, NTDS, DCSync, /etc/passwd, Cached Credentials).
|
|
2. **Query LSASS Access Events**: Search for Sysmon Event ID 10 where TargetImage is lsass.exe with suspicious GrantedAccess masks (0x1010, 0x1038, 0x1FFFFF).
|
|
3. **Analyze Process Context**: Examine the source process accessing LSASS - legitimate security tools vs. unknown or suspicious binaries.
|
|
4. **Hunt for SAM/NTDS Access**: Query for reg.exe save operations against SAM/SECURITY/SYSTEM hives and ntdsutil/vssadmin shadow copy access.
|
|
5. **Detect DCSync Activity**: Monitor for DS-Replication-Get-Changes requests from non-domain-controller sources (Event ID 4662).
|
|
6. **Correlate with Network Activity**: Cross-reference credential dumping with subsequent lateral movement or authentication anomalies.
|
|
7. **Assess Impact and Report**: Determine which credentials were potentially exposed and recommend password resets and containment.
|
|
|
|
## Key Concepts
|
|
|
|
| Concept | Description |
|
|
|---------|-------------|
|
|
| T1003 | OS Credential Dumping - parent technique |
|
|
| T1003.001 | LSASS Memory - dumping credentials from LSASS process |
|
|
| T1003.002 | Security Account Manager (SAM) - extracting local password hashes |
|
|
| T1003.003 | NTDS - extracting AD database from Domain Controllers |
|
|
| T1003.004 | LSA Secrets - accessing stored service credentials |
|
|
| T1003.005 | Cached Domain Credentials (DCC2) |
|
|
| T1003.006 | DCSync - replicating AD credentials via DRSUAPI |
|
|
| LSASS | Local Security Authority Subsystem Service |
|
|
| GrantedAccess | Bitmask indicating the access rights requested for a process |
|
|
| Minidump | Memory dump technique used by tools like comsvcs.dll |
|
|
|
|
## Tools & Systems
|
|
|
|
| Tool | Purpose |
|
|
|------|---------|
|
|
| CrowdStrike Falcon | LSASS access detection and process tree analysis |
|
|
| Microsoft Defender for Endpoint | Advanced hunting for credential access events |
|
|
| Sysmon | Process access monitoring (Event ID 10) |
|
|
| Velociraptor | Endpoint artifact collection for LSASS analysis |
|
|
| Elastic Security | Correlation of credential dumping indicators |
|
|
| Splunk | SPL queries for credential access event analysis |
|
|
| Volatility | Memory forensics for LSASS credential extraction |
|
|
|
|
## Common Scenarios
|
|
|
|
1. **Mimikatz LSASS Dump**: Attacker runs `sekurlsa::logonpasswords` causing direct LSASS memory read with GrantedAccess 0x1010.
|
|
2. **Comsvcs.dll MiniDump**: Process uses `rundll32.exe comsvcs.dll MiniDump [LSASS PID]` to create LSASS memory dump file.
|
|
3. **ProcDump LSASS**: Attacker uses Microsoft-signed procdump.exe with `-ma lsass.exe` to dump LSASS memory.
|
|
4. **SAM Registry Export**: Adversary runs `reg save HKLM\SAM sam.bak` to extract local password hashes.
|
|
5. **DCSync Replication**: Compromised account with Replicating Directory Changes permissions performs DCSync from a workstation.
|
|
6. **NTDS Shadow Copy**: Attacker uses `vssadmin create shadow /for=C:` then copies ntds.dit from the shadow copy.
|
|
|
|
## Output Format
|
|
|
|
```
|
|
Hunt ID: TH-CRED-DUMP-[DATE]-[SEQ]
|
|
Technique: T1003.[Sub-technique]
|
|
Source Process: [Process accessing LSASS/SAM/NTDS]
|
|
Target: [lsass.exe / SAM / NTDS.dit / DC Replication]
|
|
Host: [Hostname]
|
|
User: [Account context]
|
|
GrantedAccess: [Access mask if applicable]
|
|
Timestamp: [UTC]
|
|
Risk Level: [Critical/High/Medium/Low]
|
|
Evidence: [Log entries, process tree, network activity]
|
|
Recommended Action: [Password reset scope, containment steps]
|
|
```
|