creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 22:54:53 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ccce7d4e068efecc2f98c385c8e5c01d969fc9bc
Anthropic-Cybersecurity-Skills/skills/detecting-credential-dumping-with-edr/references/workflows.md
T

4.4 KiB
Raw Blame History

Detailed Hunting Workflow - Credential Dumping Detection

Phase 1: LSASS Memory Access Hunting

Step 1.1 - Sysmon Event ID 10 Analysis

index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
| where NOT match(SourceImage, "(?i)(csrss|svchost|services|lsass|wininit|MsMpEng|MsSense|CrowdStrike)")
| eval suspicious_access=case(
    GrantedAccess="0x1FFFFF", "CRITICAL-Full_Access",
    GrantedAccess="0x1010", "HIGH-VM_Read_Query",
    GrantedAccess="0x1038", "HIGH-Credential_Dump_Mask",
    GrantedAccess="0x0410", "MEDIUM-Query_VM_Read",
    1=1, "LOW-Other"
)
| stats count by SourceImage, GrantedAccess, suspicious_access, Computer, User
| sort -count

Step 1.2 - KQL for Microsoft Defender for Endpoint

DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "OpenProcessApiCall"
| where FileName == "lsass.exe"
| where InitiatingProcessFileName !in~ ("csrss.exe","svchost.exe","services.exe","MsMpEng.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
    InitiatingProcessCommandLine, AdditionalFields
| order by Timestamp desc

Step 1.3 - CrowdStrike Falcon Query

event_simpleName=ProcessRollup2 TargetProcessImageFileName=lsass.exe
| where ContextProcessImageFileName!="csrss.exe" AND ContextProcessImageFileName!="svchost.exe"
| stats count by ContextProcessImageFileName ComputerName UserName

Phase 2: SAM/SECURITY Hive Access

Step 2.1 - Registry Save Operations

index=sysmon EventCode=1
| where match(CommandLine, "(?i)reg\s+(save|export)\s+.*(SAM|SECURITY|SYSTEM)")
| table _time Computer User Image CommandLine ParentImage

Step 2.2 - Shadow Copy for SAM Access

index=sysmon EventCode=1
| where match(CommandLine, "(?i)(vssadmin|wmic)\s+.*(shadow|create)")
| append [
    search index=sysmon EventCode=1
    | where match(CommandLine, "(?i)copy.*\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy")
]
| table _time Computer User CommandLine ParentImage

Phase 3: DCSync Detection

Step 3.1 - Directory Replication Monitoring

index=wineventlog EventCode=4662
| where match(Properties, "(?i)(1131f6aa|1131f6ad|89e95b76)")
| where NOT match(SubjectUserName, "(?i)(\\$|DomainController)")
| table _time SubjectUserName SubjectDomainName ObjectName Properties

The GUIDs to monitor:

  • 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 = DS-Replication-Get-Changes
  • 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 = DS-Replication-Get-Changes-All
  • 89e95b76-444d-4c62-991a-0facbeda640c = DS-Replication-Get-Changes-In-Filtered-Set

Step 3.2 - Non-DC Source Validation

SecurityEvent
| where EventID == 4662
| where Properties has "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"
| where Computer !in (known_domain_controllers)
| project TimeGenerated, Computer, SubjectAccount, SubjectDomainName

Phase 4: Tool-Specific Detection

Step 4.1 - Mimikatz Indicators

index=sysmon (EventCode=1 OR EventCode=10)
| where match(CommandLine, "(?i)(sekurlsa|lsadump|kerberos::list|crypto::cng|privilege::debug)")
    OR (EventCode=10 AND TargetImage="*\\lsass.exe" AND GrantedAccess IN ("0x1010","0x1038"))
| table _time EventCode Computer User Image CommandLine GrantedAccess

Step 4.2 - Comsvcs.dll MiniDump Detection

index=sysmon EventCode=1 Image="*\\rundll32.exe"
| where match(CommandLine, "(?i)comsvcs.*MiniDump")
| table _time Computer User CommandLine ParentImage

Step 4.3 - ProcDump LSASS Detection

index=sysmon EventCode=1
| where match(CommandLine, "(?i)procdump.*(-ma|-accepteula).*lsass")
| table _time Computer User CommandLine ParentImage

Phase 5: Correlation and Impact Assessment

Step 5.1 - Post-Credential-Dump Lateral Movement

index=sysmon EventCode=10 TargetImage="*\\lsass.exe" GrantedAccess IN ("0x1010","0x1038","0x1FFFFF")
| rename Computer as src_host
| join src_host [
    search index=wineventlog EventCode=4624 Logon_Type=3
    | rename Computer as src_host
]
| table _time src_host User SourceImage dest_host

Step 5.2 - Timeline Construction

Build a timeline correlating:

  1. Initial LSASS access event (credential dump)
  2. Subsequent authentication events (Pass-the-Hash/Ticket)
  3. Lateral movement to new hosts
  4. Additional credential dumping on new hosts

Phase 6: Reporting

Key Metrics to Report

  • Number of unique hosts with LSASS access anomalies
  • Tools identified (known vs. custom)
  • Accounts potentially compromised
  • Lateral movement scope
  • Time from initial dump to last detected activity
Reference in New Issue View Git Blame Copy Permalink