mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-26 11:44:37 +03:00
mukul975
3.6 KiB
3.6 KiB
Standards and References - Credential Dumping Detection
MITRE ATT&CK Mappings
T1003 - OS Credential Dumping (Parent Technique)
| Sub-Technique | Name | Description |
|---|---|---|
| T1003.001 | LSASS Memory | Dumping credentials stored in LSASS process memory |
| T1003.002 | Security Account Manager | Extracting local hashes from SAM database |
| T1003.003 | NTDS | Stealing AD database from Domain Controllers |
| T1003.004 | LSA Secrets | Accessing stored service account credentials |
| T1003.005 | Cached Domain Credentials | Extracting DCC2 hashed credentials |
| T1003.006 | DCSync | Simulating DC replication to extract credentials |
| T1003.007 | Proc Filesystem (/proc) | Linux credential extraction |
| T1003.008 | /etc/passwd and /etc/shadow | Unix credential files |
Related Techniques
- T1555 - Credentials from Password Stores: Browser, keychain, password manager credentials
- T1552 - Unsecured Credentials: Files, registry, bash history, cloud metadata
- T1558 - Steal or Forge Kerberos Tickets: Kerberoasting, Golden/Silver tickets
- T1550 - Use Alternate Authentication Material: Pass the Hash, Pass the Ticket
Tactic
- TA0006 - Credential Access
Detection Data Sources
LSASS Access Detection
| Source | Event ID | Details |
|---|---|---|
| Sysmon | 10 | ProcessAccess - TargetImage = lsass.exe |
| Windows Security | 4656 | Handle requested to process object |
| Windows Security | 4663 | Attempt to access process object |
| Windows Security | 4688 | Process creation with command line |
| ETW | Microsoft-Windows-Kernel-Process | Kernel-level process access |
SAM/Registry Detection
| Source | Event ID | Details |
|---|---|---|
| Sysmon | 1 | reg.exe with save SAM/SECURITY/SYSTEM |
| Windows Security | 4656 | Handle to registry key |
| Windows Security | 4688 | reg.exe/regedit.exe command line |
DCSync Detection
| Source | Event ID | Details |
|---|---|---|
| Windows Security | 4662 | DS-Replication-Get-Changes operation |
| Windows Security | 4624/4625 | Authentication to DC from non-DC source |
| Network | DRSUAPI | RPC calls for directory replication |
NTDS Access Detection
| Source | Event ID | Details |
|---|---|---|
| Sysmon | 1 | ntdsutil.exe, vssadmin.exe execution |
| Windows Security | 4688 | Shadow copy creation commands |
| VSS | 8224 | Volume Shadow Copy Service operations |
LSASS Access Mask Reference
| Access Mask | Hex | Meaning |
|---|---|---|
| PROCESS_VM_READ | 0x0010 | Read process memory |
| PROCESS_QUERY_INFORMATION | 0x0400 | Query process info |
| 0x1010 | Combined | VM_READ + QUERY_INFO (Mimikatz default) |
| 0x1038 | Combined | Common credential dumping mask |
| 0x1FFFFF | PROCESS_ALL_ACCESS | Full access to process |
| 0x0410 | Combined | Query + VM_READ minimal |
Known Credential Dumping Tools
| Tool | Technique | Detection Signature |
|---|---|---|
| Mimikatz | T1003.001, T1003.006 | LSASS access with 0x1010, sekurlsa module |
| LaZagne | T1003.001, T1555 | Multi-credential extractor |
| ProcDump | T1003.001 | Signed MS tool, -ma lsass.exe |
| comsvcs.dll | T1003.001 | MiniDump via rundll32 |
| secretsdump.py | T1003.002, T1003.003, T1003.006 | Impacket DCSync/SAM |
| ntdsutil.exe | T1003.003 | IFM creation for NTDS |
| SharpDump | T1003.001 | .NET LSASS dumper |
| PPLdump | T1003.001 | PPL bypass LSASS dump |
| nanodump | T1003.001 | Stealthy minidump |
Regulatory References
- NIST SP 800-171 Rev 2: 3.1.1 (Access Control)
- CIS Controls v8: Control 6 (Access Control Management)
- PCI DSS 4.0: Requirement 7 (Restrict Access)