creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-26 03:34:37 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/detecting-t1003-credential-dumping-with-edr/references/workflows.md
T

2.2 KiB
Raw Blame History

Detailed Hunting Workflow - T1003 Credential Dumping

Phase 1: LSASS Memory Access Detection

Step 1.1 - Sysmon Event 10 Analysis

index=sysmon EventCode=10
| where match(TargetImage, "(?i)lsass\.exe$")
| where NOT match(SourceImage, "(?i)(csrss|lsass|svchost|MsMpEng|WmiPrvSE|SecurityHealthService|smartscreen)\.exe$")
| stats count values(GrantedAccess) as access_masks by SourceImage Computer
| sort -count

Step 1.2 - EDR LSASS Alerts

AlertInfo
| where Title has_any ("LSASS", "credential", "Mimikatz")
| join AlertEvidence on AlertId
| project Timestamp, Title, DeviceName, FileName, ProcessCommandLine

Phase 2: Credential Tool Detection

Step 2.1 - Known Tool Command Lines

index=sysmon EventCode=1
| where match(CommandLine, "(?i)(sekurlsa|lsadump|kerberos::list|crypto::certificates|privilege::debug)")
    OR match(OriginalFileName, "(?i)mimikatz")
    OR (match(CommandLine, "(?i)procdump") AND match(CommandLine, "(?i)lsass"))
    OR match(CommandLine, "(?i)comsvcs.*MiniDump")
| table _time Computer User Image CommandLine Hashes

Step 2.2 - NTDS.dit Extraction

index=sysmon EventCode=1
| where match(CommandLine, "(?i)(vssadmin.*create\s+shadow|wmic\s+shadowcopy|ntdsutil.*ifm|esentutl.*ntds)")
| table _time Computer User CommandLine ParentImage

Step 2.3 - Registry Hive Export

index=sysmon EventCode=1
| where match(CommandLine, "(?i)reg\s+(save|export)\s+hklm\\\\(sam|security|system)")
| table _time Computer User CommandLine

Phase 3: Post-Dump Lateral Movement

Step 3.1 - Pass-the-Hash Detection

index=wineventlog EventCode=4624 LogonType=9
| where AuthenticationPackageName="Negotiate"
| table _time TargetUserName IpAddress WorkstationName LogonProcessName

Step 3.2 - Suspicious Remote Logons After Dump

index=wineventlog EventCode=4624 LogonType=3
| where _time > [credential_dump_timestamp]
| stats count by TargetUserName IpAddress WorkstationName
| sort -count

Phase 4: Response Actions

  1. Isolate affected endpoints
  2. Reset ALL credentials that were potentially on compromised systems
  3. Rotate KRBTGT if domain-level compromise suspected
  4. Enable Credential Guard and RunAsPPL
  5. Deploy ASR rules for LSASS protection
Reference in New Issue View Git Blame Copy Permalink