threat hunting

Detecting T1003 Credential Dumping with EDR

Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.

credential-dumpingedrlsassmimikatzmitre-t1003ntdssam-databasethreat-hunting
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • When hunting for credential theft activity in the environment
  • After compromise indicators suggest attacker has elevated privileges
  • When EDR alerts fire for LSASS access or suspicious process memory reads
  • During incident response to determine scope of credential compromise
  • When auditing LSASS protection controls (Credential Guard, RunAsPPL)

Prerequisites

  • EDR agent deployed with LSASS access monitoring (CrowdStrike, Defender for Endpoint, SentinelOne)
  • Sysmon Event ID 10 (ProcessAccess) with LSASS-specific filters
  • Windows Security Event ID 4656/4663 (Object Access Auditing)
  • LSASS SACL auditing enabled (Windows 10+)
  • Registry auditing for SAM hive access

Workflow

  1. Monitor LSASS Process Access: Track all processes opening handles to lsass.exe with suspicious access rights (PROCESS_VM_READ 0x0010, PROCESS_ALL_ACCESS 0x1FFFFF). Non-privileged or unusual processes accessing LSASS are strong indicators.
  2. Detect Credential Dumping Tools: Hunt for known tool signatures -- Mimikatz (sekurlsa::logonpasswords), procdump.exe targeting LSASS, comsvcs.dll MiniDump, and Task Manager creating LSASS dumps.
  3. Monitor NTDS.dit Access: Detect Volume Shadow Copy creation (vssadmin, wmic shadowcopy) followed by NTDS.dit file access, or ntdsutil.exe IFM creation.
  4. Track SAM/SECURITY/SYSTEM Hive Access: Hunt for reg.exe save commands targeting SAM, SECURITY, and SYSTEM registry hives.
  5. Detect DCSync Activity: Monitor for non-DC accounts requesting directory replication (Event 4662 with replication GUIDs).
  6. Correlate with Lateral Movement: After credential dumping, attackers typically move laterally. Correlate credential access events with subsequent remote logon attempts.
  7. Assess Impact: Determine which credentials were potentially compromised and initiate password resets.

Key Concepts

Concept Description
T1003.001 LSASS Memory -- dumping credentials from LSASS process
T1003.002 Security Account Manager -- extracting local account hashes from SAM
T1003.003 NTDS -- extracting domain hashes from Active Directory database
T1003.004 LSA Secrets -- extracting service account passwords
T1003.005 Cached Domain Credentials -- extracting DCC2 hashes
T1003.006 DCSync -- replicating credentials from domain controller
Credential Guard Virtualization-based isolation of LSASS secrets
RunAsPPL Protected Process Light for LSASS

Detection Queries

Splunk -- LSASS Access Detection

index=sysmon EventCode=10
| where match(TargetImage, "(?i)lsass\.exe$")
| where GrantedAccess IN ("0x1FFFFF", "0x1F3FFF", "0x143A", "0x1F0FFF", "0x0040", "0x1010", "0x1410")
| where NOT match(SourceImage, "(?i)(csrss|lsass|svchost|MsMpEng|WmiPrvSE|taskmgr|procexp|SecurityHealthService)\.exe$")
| table _time Computer SourceImage SourceProcessId GrantedAccess CallTrace

Splunk -- Credential Dumping Tool Detection

index=sysmon EventCode=1
| where match(CommandLine, "(?i)(sekurlsa|lsadump|kerberos::list|crypto::certificates)")
    OR match(CommandLine, "(?i)procdump.*-ma.*lsass")
    OR match(CommandLine, "(?i)comsvcs\.dll.*MiniDump")
    OR match(CommandLine, "(?i)ntdsutil.*\"ac i ntds\".*ifm")
    OR match(CommandLine, "(?i)reg\s+save\s+hklm\\\\(sam|security|system)")
    OR match(CommandLine, "(?i)vssadmin.*create\s+shadow")
| table _time Computer User Image CommandLine ParentImage

KQL -- Microsoft Defender for Endpoint

DeviceEvents
| where Timestamp > ago(7d)
| where ActionType in ("LsassAccess", "CredentialDumpingActivity")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
    InitiatingProcessCommandLine, ActionType, AdditionalFields
| sort by Timestamp desc

Sigma Rule -- LSASS Credential Dumping

title: LSASS Memory Credential Dumping Attempt
status: stable
logsource:
    product: windows
    category: process_access
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        GrantedAccess|contains:
            - '0x1FFFFF'
            - '0x1F3FFF'
            - '0x143A'
            - '0x0040'
    filter:
        SourceImage|endswith:
            - '\csrss.exe'
            - '\lsass.exe'
            - '\MsMpEng.exe'
            - '\svchost.exe'
    condition: selection and not filter
level: critical
tags:
    - attack.credential_access
    - attack.t1003.001

Common Scenarios

  1. Mimikatz sekurlsa: Direct LSASS memory reading via sekurlsa::logonpasswords to extract plaintext passwords, NTLM hashes, and Kerberos tickets.
  2. ProcDump LSASS: procdump.exe -ma lsass.exe lsass.dmp creating a memory dump for offline credential extraction.
  3. Comsvcs.dll MiniDump: rundll32.exe comsvcs.dll MiniDump [LSASS_PID] dump.bin full using a built-in Windows DLL for LSASS dumping.
  4. NTDS.dit Extraction: Creating a Volume Shadow Copy and copying NTDS.dit + SYSTEM hive for offline domain hash extraction with secretsdump.
  5. SAM Hive Export: reg save HKLM\SAM sam.save followed by reg save HKLM\SYSTEM system.save for local account hash extraction.
  6. Task Manager Dump: Right-clicking LSASS in Task Manager to create a memory dump -- a legitimate tool abused for credential theft.

Output Format

Hunt ID: TH-CRED-[DATE]-[SEQ]
Host: [Hostname]
Dumping Method: [LSASS_Access/NTDS/SAM/DCSync]
Source Process: [Tool or process used]
Target: [LSASS/NTDS.dit/SAM/SECURITY]
Access Rights: [Granted access mask]
User Context: [Account performing the dump]
ATT&CK Technique: [T1003.00x]
Risk Level: [Critical/High/Medium]
Credentials at Risk: [Scope assessment]
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 3

api-reference.md2.5 KB

API Reference: T1003 Credential Dumping Detection

MITRE ATT&CK T1003 Sub-Techniques

Sub-technique Name Detection
T1003.001 LSASS Memory Sysmon Event 10
T1003.002 SAM Registry Event 4688
T1003.003 NTDS.dit Event 4688, VSS events
T1003.004 LSA Secrets Registry access
T1003.005 Cached Domain Creds Registry access
T1003.006 DCSync Event 4662

Sysmon Events for Credential Dumping

Event ID 10 — ProcessAccess

Field Description
SourceProcessId PID of accessing process
SourceImage Path of accessing process
TargetProcessId PID of target (lsass.exe)
TargetImage Path of target process
GrantedAccess Access mask

Suspicious Access Masks

Mask Meaning
0x1010 QUERY_LIMITED + VM_READ
0x1FFFFF PROCESS_ALL_ACCESS
0x1410 QUERY_INFO + VM_READ
0x0040 DUP_HANDLE

Event ID 1 — ProcessCreate

<Data Name="Image">C:\tools\mimikatz.exe</Data>
<Data Name="CommandLine">mimikatz.exe "sekurlsa::logonpasswords"</Data>

Windows Security Event Log

Event 4688 — Process Creation

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688}

Event 4662 — Object Access (DCSync detection)

Properties: {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}  # DS-Replication-Get-Changes
Properties: {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}  # DS-Replication-Get-Changes-All

CrowdStrike Falcon — Detection Query

Search for credential access alerts

GET https://api.crowdstrike.com/detects/queries/detects/v1
    ?filter=behaviors.tactic:'Credential Access'
Authorization: Bearer {token}

Microsoft Defender ATP — Advanced Hunting

LSASS Access KQL

DeviceProcessEvents
| where FileName == "lsass.exe"
| join kind=inner (
    DeviceProcessEvents
    | where InitiatingProcessFileName !in ("svchost.exe", "csrss.exe")
) on DeviceId
| project Timestamp, DeviceName, InitiatingProcessFileName

Sigma Rules

LSASS Memory Access

title: LSASS Memory Access by Non-System Process
logsource:
    product: windows
    category: process_access
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        GrantedAccess|contains:
            - '0x1010'
            - '0x1FFFFF'
    filter:
        SourceImage|endswith:
            - '\svchost.exe'
            - '\csrss.exe'
    condition: selection and not filter
level: critical
standards.md2.2 KB

Standards and References - T1003 Credential Dumping Detection

MITRE ATT&CK Credential Dumping Sub-Techniques

Sub-Technique Target Common Tools Primary Detection
T1003.001 LSASS Memory Mimikatz, ProcDump, comsvcs.dll Sysmon Event 10, EDR LSASS alerts
T1003.002 SAM Database reg save, Mimikatz Registry access auditing
T1003.003 NTDS.dit ntdsutil, vssadmin, secretsdump VSS creation + file access
T1003.004 LSA Secrets Mimikatz, reg save Registry access to SECURITY hive
T1003.005 Cached Domain Creds Mimikatz, cachedump SECURITY hive access
T1003.006 DCSync Mimikatz, Impacket Event 4662 replication GUIDs

LSASS Access Masks for Credential Dumping

Access Mask Meaning Risk Level
0x1FFFFF PROCESS_ALL_ACCESS Critical
0x1F3FFF Near-full access Critical
0x143A Mimikatz typical access Critical
0x1F0FFF Full minus synchronize Critical
0x0040 PROCESS_VM_READ High
0x1010 PROCESS_VM_READ + QUERY_INFO High

Protection Controls

Control Description Effectiveness
Credential Guard Virtualizes LSASS secrets High -- prevents plaintext extraction
RunAsPPL Protected Process Light for LSASS Medium -- blocks unsigned callers
ASR Rules Attack Surface Reduction for LSASS Medium -- blocks common tools
LSASS SACL Audit logging for LSASS access Detection only
Windows Defender Credential Guard Hardware-backed isolation High

Known Credential Dumping Tools

Tool Method Detection Signature
Mimikatz Direct LSASS read via API sekurlsa::, lsadump::
ProcDump LSASS dump via MiniDumpWriteDump procdump -ma lsass
comsvcs.dll Built-in DLL MiniDump function comsvcs.dll,MiniDump
Task Manager GUI-based LSASS dump taskmgr.exe accessing lsass
ntdsutil IFM creation for NTDS "ac i ntds" "ifm"
secretsdump.py Remote NTDS extraction Impacket network activity
LaZagne Multi-source credential harvesting lazagne.exe all
workflows.md2.2 KB

Detailed Hunting Workflow - T1003 Credential Dumping

Phase 1: LSASS Memory Access Detection

Step 1.1 - Sysmon Event 10 Analysis

index=sysmon EventCode=10
| where match(TargetImage, "(?i)lsass\.exe$")
| where NOT match(SourceImage, "(?i)(csrss|lsass|svchost|MsMpEng|WmiPrvSE|SecurityHealthService|smartscreen)\.exe$")
| stats count values(GrantedAccess) as access_masks by SourceImage Computer
| sort -count

Step 1.2 - EDR LSASS Alerts

AlertInfo
| where Title has_any ("LSASS", "credential", "Mimikatz")
| join AlertEvidence on AlertId
| project Timestamp, Title, DeviceName, FileName, ProcessCommandLine

Phase 2: Credential Tool Detection

Step 2.1 - Known Tool Command Lines

index=sysmon EventCode=1
| where match(CommandLine, "(?i)(sekurlsa|lsadump|kerberos::list|crypto::certificates|privilege::debug)")
    OR match(OriginalFileName, "(?i)mimikatz")
    OR (match(CommandLine, "(?i)procdump") AND match(CommandLine, "(?i)lsass"))
    OR match(CommandLine, "(?i)comsvcs.*MiniDump")
| table _time Computer User Image CommandLine Hashes

Step 2.2 - NTDS.dit Extraction

index=sysmon EventCode=1
| where match(CommandLine, "(?i)(vssadmin.*create\s+shadow|wmic\s+shadowcopy|ntdsutil.*ifm|esentutl.*ntds)")
| table _time Computer User CommandLine ParentImage

Step 2.3 - Registry Hive Export

index=sysmon EventCode=1
| where match(CommandLine, "(?i)reg\s+(save|export)\s+hklm\\\\(sam|security|system)")
| table _time Computer User CommandLine

Phase 3: Post-Dump Lateral Movement

Step 3.1 - Pass-the-Hash Detection

index=wineventlog EventCode=4624 LogonType=9
| where AuthenticationPackageName="Negotiate"
| table _time TargetUserName IpAddress WorkstationName LogonProcessName

Step 3.2 - Suspicious Remote Logons After Dump

index=wineventlog EventCode=4624 LogonType=3
| where _time > [credential_dump_timestamp]
| stats count by TargetUserName IpAddress WorkstationName
| sort -count

Phase 4: Response Actions

  1. Isolate affected endpoints
  2. Reset ALL credentials that were potentially on compromised systems
  3. Rotate KRBTGT if domain-level compromise suspected
  4. Enable Credential Guard and RunAsPPL
  5. Deploy ASR rules for LSASS protection

Scripts 2

agent.py6.6 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Agent for detecting T1003 credential dumping via EDR telemetry analysis."""

import argparse
import json
import re
import subprocess
import sys
from datetime import datetime, timezone


LSASS_ACCESS_MASKS = {
    0x1010: "PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ",
    0x1FFFFF: "PROCESS_ALL_ACCESS",
    0x1410: "PROCESS_QUERY_INFORMATION | PROCESS_VM_READ",
    0x0040: "PROCESS_DUP_HANDLE",
}

CREDENTIAL_DUMP_TOOLS = [
    "mimikatz", "procdump", "sqldumper", "comsvcs.dll",
    "nanodump", "pypykatz", "lazagne", "secretsdump",
    "gsecdump", "wce.exe", "fgdump", "pwdump",
    "ntdsutil", "reg save hklm\\sam", "reg save hklm\\system",
]

SYSMON_EVENTS = {
    1: "Process Creation",
    10: "Process Access (LSASS read)",
    11: "File Create (credential dump file)",
    7: "Image Loaded (suspicious DLL)",
}


def check_lsass_access_sysmon():
    """Query Sysmon Event ID 10 for LSASS process access."""
    findings = []
    if sys.platform != "win32":
        return findings
    ps_cmd = (
        "Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational';"
        "Id=10} -MaxEvents 500 "
        "| Where-Object {$_.Properties[8].Value -match 'lsass'} "
        "| Select-Object TimeCreated,"
        "@{N='SourceProcess';E={$_.Properties[4].Value}},"
        "@{N='SourcePID';E={$_.Properties[3].Value}},"
        "@{N='TargetProcess';E={$_.Properties[8].Value}},"
        "@{N='GrantedAccess';E={$_.Properties[10].Value}} "
        "| ConvertTo-Json -Depth 3"
    )
    try:
        result = subprocess.check_output(
            ["powershell", "-NoProfile", "-Command", ps_cmd],
            text=True, errors="replace", timeout=30
        )
        data = json.loads(result) if result.strip() else []
        if not isinstance(data, list):
            data = [data]
        for evt in data:
            source = evt.get("SourceProcess", "")
            access = evt.get("GrantedAccess", "")
            if not any(safe in source.lower() for safe in ["svchost", "csrss", "lsass", "wmiprvse"]):
                findings.append({
                    "time": evt.get("TimeCreated", ""),
                    "source": source,
                    "target": evt.get("TargetProcess", ""),
                    "access_mask": access,
                    "suspicious": True,
                })
    except (subprocess.SubprocessError, json.JSONDecodeError):
        pass
    return findings


def check_credential_dump_processes():
    """Check for known credential dumping tool processes."""
    findings = []
    if sys.platform != "win32":
        return findings
    ps_cmd = (
        "Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational';"
        "Id=1} -MaxEvents 1000 "
        "| Select-Object TimeCreated,"
        "@{N='Image';E={$_.Properties[4].Value}},"
        "@{N='CommandLine';E={$_.Properties[10].Value}},"
        "@{N='ParentImage';E={$_.Properties[20].Value}} "
        "| ConvertTo-Json -Depth 3"
    )
    try:
        result = subprocess.check_output(
            ["powershell", "-NoProfile", "-Command", ps_cmd],
            text=True, errors="replace", timeout=30
        )
        data = json.loads(result) if result.strip() else []
        if not isinstance(data, list):
            data = [data]
        for evt in data:
            cmdline = (evt.get("CommandLine", "") or "").lower()
            image = (evt.get("Image", "") or "").lower()
            for tool in CREDENTIAL_DUMP_TOOLS:
                if tool.lower() in cmdline or tool.lower() in image:
                    findings.append({
                        "time": evt.get("TimeCreated", ""),
                        "image": evt.get("Image", ""),
                        "commandline": evt.get("CommandLine", "")[:200],
                        "tool_match": tool,
                    })
                    break
    except (subprocess.SubprocessError, json.JSONDecodeError):
        pass
    return findings


def check_sam_ntds_access():
    """Check for SAM/NTDS.dit/SYSTEM registry hive access."""
    findings = []
    patterns = [
        r"reg\s+save\s+hklm\\sam",
        r"reg\s+save\s+hklm\\system",
        r"reg\s+save\s+hklm\\security",
        r"ntdsutil.*\"ac\s+i\s+ntds\"",
        r"vssadmin.*create\s+shadow",
        r"copy.*ntds\.dit",
    ]
    if sys.platform != "win32":
        return findings
    ps_cmd = (
        "Get-WinEvent -FilterHashtable @{LogName='Security';Id=4688} -MaxEvents 500 "
        "| Select-Object TimeCreated,"
        "@{N='CommandLine';E={$_.Properties[8].Value}} "
        "| ConvertTo-Json"
    )
    try:
        result = subprocess.check_output(
            ["powershell", "-NoProfile", "-Command", ps_cmd],
            text=True, errors="replace", timeout=30
        )
        data = json.loads(result) if result.strip() else []
        if not isinstance(data, list):
            data = [data]
        for evt in data:
            cmdline = (evt.get("CommandLine", "") or "").lower()
            for pat in patterns:
                if re.search(pat, cmdline):
                    findings.append({
                        "time": evt.get("TimeCreated", ""),
                        "commandline": cmdline[:200],
                        "pattern": pat,
                    })
    except (subprocess.SubprocessError, json.JSONDecodeError):
        pass
    return findings


def main():
    parser = argparse.ArgumentParser(
        description="Detect T1003 credential dumping via EDR telemetry"
    )
    parser.add_argument("--output", "-o", help="Output JSON report")
    parser.add_argument("--verbose", "-v", action="store_true")
    args = parser.parse_args()

    print("[*] T1003 Credential Dumping Detection Agent")
    report = {"timestamp": datetime.now(timezone.utc).isoformat(), "findings": {}}

    lsass = check_lsass_access_sysmon()
    report["findings"]["lsass_access"] = lsass
    print(f"[*] Suspicious LSASS access events: {len(lsass)}")

    tools = check_credential_dump_processes()
    report["findings"]["dump_tools"] = tools
    print(f"[*] Credential dump tool detections: {len(tools)}")

    sam = check_sam_ntds_access()
    report["findings"]["sam_ntds_access"] = sam
    print(f"[*] SAM/NTDS access events: {len(sam)}")

    total = len(lsass) + len(tools) + len(sam)
    report["risk_level"] = "CRITICAL" if total >= 5 else "HIGH" if total >= 2 else "MEDIUM" if total > 0 else "LOW"

    if args.output:
        with open(args.output, "w") as f:
            json.dump(report, f, indent=2)
        print(f"[*] Report saved to {args.output}")
    else:
        print(json.dumps(report, indent=2))


if __name__ == "__main__":
    main()
process.py5.0 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
T1003 Credential Dumping Detection Script
Analyzes EDR/Sysmon logs for LSASS access, credential tool execution,
and registry hive exports indicating credential theft.
"""

import json
import csv
import argparse
import datetime
import re
from pathlib import Path

LSASS_SUSPICIOUS_ACCESS = {"0x1fffff", "0x1f3fff", "0x143a", "0x1f0fff", "0x0040", "0x1010", "0x1410"}
LSASS_LEGITIMATE_SOURCES = {
    "csrss.exe", "lsass.exe", "svchost.exe", "msmpe ng.exe", "wmiprvse.exe",
    "securityhealthservice.exe", "smartscreen.exe", "taskmgr.exe",
}

CREDENTIAL_TOOL_PATTERNS = [
    (r"(?i)sekurlsa", "Mimikatz_sekurlsa", "T1003.001", "CRITICAL"),
    (r"(?i)lsadump", "Mimikatz_lsadump", "T1003.001", "CRITICAL"),
    (r"(?i)procdump.*lsass", "ProcDump_LSASS", "T1003.001", "CRITICAL"),
    (r"(?i)comsvcs.*MiniDump", "Comsvcs_MiniDump", "T1003.001", "CRITICAL"),
    (r"(?i)ntdsutil.*ifm", "NTDS_IFM_Creation", "T1003.003", "CRITICAL"),
    (r"(?i)vssadmin.*create\s+shadow", "VSS_Shadow_Copy", "T1003.003", "HIGH"),
    (r"(?i)reg\s+(save|export)\s+hklm\\\\sam", "SAM_Hive_Export", "T1003.002", "CRITICAL"),
    (r"(?i)reg\s+(save|export)\s+hklm\\\\security", "SECURITY_Hive_Export", "T1003.004", "CRITICAL"),
    (r"(?i)reg\s+(save|export)\s+hklm\\\\system", "SYSTEM_Hive_Export", "T1003.002", "HIGH"),
    (r"(?i)esentutl.*ntds", "NTDS_Esentutl", "T1003.003", "CRITICAL"),
    (r"(?i)lazagne", "LaZagne", "T1003", "HIGH"),
]


def parse_events(input_path: str) -> list[dict]:
    path = Path(input_path)
    events = []
    if path.suffix == ".json":
        with open(path, "r", encoding="utf-8") as f:
            data = json.load(f)
            events = data if isinstance(data, list) else data.get("events", [])
    elif path.suffix == ".csv":
        with open(path, "r", encoding="utf-8-sig") as f:
            events = [dict(row) for row in csv.DictReader(f)]
    return events


def detect_credential_dumping(events: list[dict]) -> list[dict]:
    findings = []
    for event in events:
        event_code = str(event.get("EventCode", event.get("EventID", "")))
        computer = event.get("Computer", event.get("host", ""))
        timestamp = event.get("UtcTime", event.get("_time", ""))
        user = event.get("User", event.get("user", ""))

        if event_code == "10":
            target = event.get("TargetImage", "")
            source = event.get("SourceImage", "")
            access = event.get("GrantedAccess", "").lower()
            if "lsass.exe" not in target.lower():
                continue
            source_name = source.split("\\")[-1].lower()
            if source_name in LSASS_LEGITIMATE_SOURCES:
                continue
            if access not in LSASS_SUSPICIOUS_ACCESS:
                continue
            findings.append({
                "timestamp": timestamp, "computer": computer, "user": user,
                "detection_type": "LSASS_Access",
                "source_process": source, "target": "lsass.exe",
                "access_mask": access,
                "technique": "T1003.001", "severity": "CRITICAL",
                "description": f"{source_name} accessed LSASS with {access}",
            })

        elif event_code == "1":
            cmdline = event.get("CommandLine", "")
            image = event.get("Image", "")
            for pattern, tool_name, technique, severity in CREDENTIAL_TOOL_PATTERNS:
                if re.search(pattern, cmdline):
                    findings.append({
                        "timestamp": timestamp, "computer": computer, "user": user,
                        "detection_type": "Credential_Tool",
                        "tool": tool_name, "image": image,
                        "command_line": cmdline,
                        "technique": technique, "severity": severity,
                        "description": f"Credential dumping tool detected: {tool_name}",
                    })
                    break

    return sorted(findings, key=lambda x: {"CRITICAL": 0, "HIGH": 1, "MEDIUM": 2}.get(x["severity"], 3))


def run_hunt(input_path: str, output_dir: str) -> None:
    print(f"[*] T1003 Credential Dumping Hunt - {datetime.datetime.now().isoformat()}")
    events = parse_events(input_path)
    print(f"[*] Loaded {len(events)} events")
    findings = detect_credential_dumping(events)
    print(f"[!] Credential dumping detections: {len(findings)}")

    output_path = Path(output_dir)
    output_path.mkdir(parents=True, exist_ok=True)
    with open(output_path / "credential_dumping_findings.json", "w", encoding="utf-8") as f:
        json.dump({"hunt_id": f"TH-CRED-{datetime.date.today().isoformat()}",
                    "findings_count": len(findings), "findings": findings}, f, indent=2)
    print(f"[+] Results written to {output_dir}")


def main():
    parser = argparse.ArgumentParser(description="T1003 Credential Dumping Detection")
    parser.add_argument("--input", "-i", required=True)
    parser.add_argument("--output", "-o", default="./cred_dump_hunt_output")
    args = parser.parse_args()
    run_hunt(args.input, args.output)


if __name__ == "__main__":
    main()

Assets 1

template.mdtext/markdown · 1.2 KB
Keep exploring