Overview

Credential dumping (MITRE ATT&CK T1003) is a post-exploitation technique where adversaries extract authentication credentials from OS memory, registry hives, or domain controller databases. This skill covers detection of LSASS memory access via Sysmon Event ID 10 (ProcessAccess), SAM registry hive export via reg.exe, NTDS.dit extraction via ntdsutil/vssadmin, and comsvcs.dll MiniDump abuse. Detection rules analyze GrantedAccess bitmasks, suspicious calling processes, and known tool signatures.

When to Use

When investigating security incidents that require detecting credential dumping techniques
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Sysmon v14+ deployed with ProcessAccess logging (Event ID 10) for lsass.exe
Windows Security audit policy enabling process creation (Event ID 4688) with command line logging

Overview

When to Use

When investigating security incidents that require detecting credential dumping techniques
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Sysmon v14+ deployed with ProcessAccess logging (Event ID 10) for lsass.exe
Windows Security audit policy enabling process creation (Event ID 4688) with command line logging

Detecting Credential Dumping Techniques

Overview

When to Use

Prerequisites

Detecting Credential Dumping Techniques

Overview

When to Use

Prerequisites

Steps

Expected Output

1password

Springboot Security

Security Review

Laravel Security

Security Review

Django Security