creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-16 16:03:17 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/detecting-t1003-credential-dumping-with-edr/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

95 lines
2.5 KiB
Markdown
Raw Blame History

# API Reference: T1003 Credential Dumping Detection
## MITRE ATT&CK T1003 Sub-Techniques
| Sub-technique | Name | Detection |
|---------------|------|-----------|
| T1003.001 | LSASS Memory | Sysmon Event 10 |
| T1003.002 | SAM Registry | Event 4688 |
| T1003.003 | NTDS.dit | Event 4688, VSS events |
| T1003.004 | LSA Secrets | Registry access |
| T1003.005 | Cached Domain Creds | Registry access |
| T1003.006 | DCSync | Event 4662 |
## Sysmon Events for Credential Dumping
### Event ID 10 — ProcessAccess
| Field | Description |
|-------|-------------|
| SourceProcessId | PID of accessing process |
| SourceImage | Path of accessing process |
| TargetProcessId | PID of target (lsass.exe) |
| TargetImage | Path of target process |
| GrantedAccess | Access mask |
### Suspicious Access Masks
| Mask | Meaning |
|------|---------|
| 0x1010 | QUERY_LIMITED + VM_READ |
| 0x1FFFFF | PROCESS_ALL_ACCESS |
| 0x1410 | QUERY_INFO + VM_READ |
| 0x0040 | DUP_HANDLE |
### Event ID 1 — ProcessCreate
```xml
<Data Name="Image">C:\tools\mimikatz.exe</Data>
<Data Name="CommandLine">mimikatz.exe "sekurlsa::logonpasswords"</Data>
```
## Windows Security Event Log
### Event 4688 — Process Creation
```powershell
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688}
```
### Event 4662 — Object Access (DCSync detection)
```
Properties: {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} # DS-Replication-Get-Changes
Properties: {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} # DS-Replication-Get-Changes-All
```
## CrowdStrike Falcon — Detection Query
### Search for credential access alerts
```http
GET https://api.crowdstrike.com/detects/queries/detects/v1
?filter=behaviors.tactic:'Credential Access'
Authorization: Bearer {token}
```
## Microsoft Defender ATP — Advanced Hunting
### LSASS Access KQL
```kql
DeviceProcessEvents
| where FileName == "lsass.exe"
| join kind=inner (
DeviceProcessEvents
| where InitiatingProcessFileName !in ("svchost.exe", "csrss.exe")
) on DeviceId
| project Timestamp, DeviceName, InitiatingProcessFileName
```
## Sigma Rules
### LSASS Memory Access
```yaml
title: LSASS Memory Access by Non-System Process
logsource:
product: windows
category: process_access
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess|contains:
- '0x1010'
- '0x1FFFFF'
filter:
SourceImage|endswith:
- '\svchost.exe'
- '\csrss.exe'
condition: selection and not filter
level: critical
```
Reference in New Issue View Git Blame Copy Permalink