Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-SkillsFramework mappings
MITRE ATT&CK
NIST CSF 2.0
MITRE D3FEND
When to Use
- When hunting for credential theft activity in the environment
- After compromise indicators suggest attacker has elevated privileges
- When EDR alerts fire for LSASS access or suspicious process memory reads
- During incident response to determine scope of credential compromise
- When auditing LSASS protection controls (Credential Guard, RunAsPPL)
Prerequisites
- EDR agent deployed with LSASS access monitoring (CrowdStrike, Defender for Endpoint, SentinelOne)
- Sysmon Event ID 10 (ProcessAccess) with LSASS-specific filters
- Windows Security Event ID 4656/4663 (Object Access Auditing)
- LSASS SACL auditing enabled (Windows 10+)
- Registry auditing for SAM hive access
Workflow
- Monitor LSASS Process Access: Track all processes opening handles to lsass.exe with suspicious access rights (PROCESS_VM_READ 0x0010, PROCESS_ALL_ACCESS 0x1FFFFF). Non-privileged or unusual processes accessing LSASS are strong indicators.
- Detect Credential Dumping Tools: Hunt for known tool signatures -- Mimikatz (sekurlsa::logonpasswords), procdump.exe targeting LSASS, comsvcs.dll MiniDump, and Task Manager creating LSASS dumps.
- Monitor NTDS.dit Access: Detect Volume Shadow Copy creation (vssadmin, wmic shadowcopy) followed by NTDS.dit file access, or ntdsutil.exe IFM creation.
- Track SAM/SECURITY/SYSTEM Hive Access: Hunt for reg.exe save commands targeting SAM, SECURITY, and SYSTEM registry hives.
- Detect DCSync Activity: Monitor for non-DC accounts requesting directory replication (Event 4662 with replication GUIDs).
- Correlate with Lateral Movement: After credential dumping, attackers typically move laterally. Correlate credential access events with subsequent remote logon attempts.
- Assess Impact: Determine which credentials were potentially compromised and initiate password resets.
Key Concepts
| Concept | Description |
|---|---|
| T1003.001 | LSASS Memory -- dumping credentials from LSASS process |
| T1003.002 | Security Account Manager -- extracting local account hashes from SAM |
| T1003.003 | NTDS -- extracting domain hashes from Active Directory database |
| T1003.004 | LSA Secrets -- extracting service account passwords |
| T1003.005 | Cached Domain Credentials -- extracting DCC2 hashes |
| T1003.006 | DCSync -- replicating credentials from domain controller |
| Credential Guard | Virtualization-based isolation of LSASS secrets |
| RunAsPPL | Protected Process Light for LSASS |
Detection Queries
Splunk -- LSASS Access Detection
index=sysmon EventCode=10
| where match(TargetImage, "(?i)lsass\.exe$")
| where GrantedAccess IN ("0x1FFFFF", "0x1F3FFF", "0x143A", "0x1F0FFF", "0x0040", "0x1010", "0x1410")
| where NOT match(SourceImage, "(?i)(csrss|lsass|svchost|MsMpEng|WmiPrvSE|taskmgr|procexp|SecurityHealthService)\.exe$")
| table _time Computer SourceImage SourceProcessId GrantedAccess CallTraceSplunk -- Credential Dumping Tool Detection
index=sysmon EventCode=1
| where match(CommandLine, "(?i)(sekurlsa|lsadump|kerberos::list|crypto::certificates)")
OR match(CommandLine, "(?i)procdump.*-ma.*lsass")
OR match(CommandLine, "(?i)comsvcs\.dll.*MiniDump")
OR match(CommandLine, "(?i)ntdsutil.*\"ac i ntds\".*ifm")
OR match(CommandLine, "(?i)reg\s+save\s+hklm\\\\(sam|security|system)")
OR match(CommandLine, "(?i)vssadmin.*create\s+shadow")
| table _time Computer User Image CommandLine ParentImageKQL -- Microsoft Defender for Endpoint
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType in ("LsassAccess", "CredentialDumpingActivity")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
InitiatingProcessCommandLine, ActionType, AdditionalFields
| sort by Timestamp descSigma Rule -- LSASS Credential Dumping
title: LSASS Memory Credential Dumping Attempt
status: stable
logsource:
product: windows
category: process_access
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess|contains:
- '0x1FFFFF'
- '0x1F3FFF'
- '0x143A'
- '0x0040'
filter:
SourceImage|endswith:
- '\csrss.exe'
- '\lsass.exe'
- '\MsMpEng.exe'
- '\svchost.exe'
condition: selection and not filter
level: critical
tags:
- attack.credential_access
- attack.t1003.001Common Scenarios
- Mimikatz sekurlsa: Direct LSASS memory reading via
sekurlsa::logonpasswordsto extract plaintext passwords, NTLM hashes, and Kerberos tickets. - ProcDump LSASS:
procdump.exe -ma lsass.exe lsass.dmpcreating a memory dump for offline credential extraction. - Comsvcs.dll MiniDump:
rundll32.exe comsvcs.dll MiniDump [LSASS_PID] dump.bin fullusing a built-in Windows DLL for LSASS dumping. - NTDS.dit Extraction: Creating a Volume Shadow Copy and copying NTDS.dit + SYSTEM hive for offline domain hash extraction with secretsdump.
- SAM Hive Export:
reg save HKLM\SAM sam.savefollowed byreg save HKLM\SYSTEM system.savefor local account hash extraction. - Task Manager Dump: Right-clicking LSASS in Task Manager to create a memory dump -- a legitimate tool abused for credential theft.
Output Format
Hunt ID: TH-CRED-[DATE]-[SEQ]
Host: [Hostname]
Dumping Method: [LSASS_Access/NTDS/SAM/DCSync]
Source Process: [Tool or process used]
Target: [LSASS/NTDS.dit/SAM/SECURITY]
Access Rights: [Granted access mask]
User Context: [Account performing the dump]
ATT&CK Technique: [T1003.00x]
Risk Level: [Critical/High/Medium]
Credentials at Risk: [Scope assessment]Source materials
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md2.5 KB
API Reference: T1003 Credential Dumping Detection
MITRE ATT&CK T1003 Sub-Techniques
| Sub-technique | Name | Detection |
|---|---|---|
| T1003.001 | LSASS Memory | Sysmon Event 10 |
| T1003.002 | SAM Registry | Event 4688 |
| T1003.003 | NTDS.dit | Event 4688, VSS events |
| T1003.004 | LSA Secrets | Registry access |
| T1003.005 | Cached Domain Creds | Registry access |
| T1003.006 | DCSync | Event 4662 |
Sysmon Events for Credential Dumping
Event ID 10 — ProcessAccess
| Field | Description |
|---|---|
| SourceProcessId | PID of accessing process |
| SourceImage | Path of accessing process |
| TargetProcessId | PID of target (lsass.exe) |
| TargetImage | Path of target process |
| GrantedAccess | Access mask |
Suspicious Access Masks
| Mask | Meaning |
|---|---|
| 0x1010 | QUERY_LIMITED + VM_READ |
| 0x1FFFFF | PROCESS_ALL_ACCESS |
| 0x1410 | QUERY_INFO + VM_READ |
| 0x0040 | DUP_HANDLE |
Event ID 1 — ProcessCreate
<Data Name="Image">C:\tools\mimikatz.exe</Data>
<Data Name="CommandLine">mimikatz.exe "sekurlsa::logonpasswords"</Data>Windows Security Event Log
Event 4688 — Process Creation
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688}Event 4662 — Object Access (DCSync detection)
Properties: {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} # DS-Replication-Get-Changes
Properties: {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} # DS-Replication-Get-Changes-AllCrowdStrike Falcon — Detection Query
Search for credential access alerts
GET https://api.crowdstrike.com/detects/queries/detects/v1
?filter=behaviors.tactic:'Credential Access'
Authorization: Bearer {token}Microsoft Defender ATP — Advanced Hunting
LSASS Access KQL
DeviceProcessEvents
| where FileName == "lsass.exe"
| join kind=inner (
DeviceProcessEvents
| where InitiatingProcessFileName !in ("svchost.exe", "csrss.exe")
) on DeviceId
| project Timestamp, DeviceName, InitiatingProcessFileNameSigma Rules
LSASS Memory Access
title: LSASS Memory Access by Non-System Process
logsource:
product: windows
category: process_access
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess|contains:
- '0x1010'
- '0x1FFFFF'
filter:
SourceImage|endswith:
- '\svchost.exe'
- '\csrss.exe'
condition: selection and not filter
level: criticalstandards.md2.2 KB
Standards and References - T1003 Credential Dumping Detection
MITRE ATT&CK Credential Dumping Sub-Techniques
| Sub-Technique | Target | Common Tools | Primary Detection |
|---|---|---|---|
| T1003.001 | LSASS Memory | Mimikatz, ProcDump, comsvcs.dll | Sysmon Event 10, EDR LSASS alerts |
| T1003.002 | SAM Database | reg save, Mimikatz | Registry access auditing |
| T1003.003 | NTDS.dit | ntdsutil, vssadmin, secretsdump | VSS creation + file access |
| T1003.004 | LSA Secrets | Mimikatz, reg save | Registry access to SECURITY hive |
| T1003.005 | Cached Domain Creds | Mimikatz, cachedump | SECURITY hive access |
| T1003.006 | DCSync | Mimikatz, Impacket | Event 4662 replication GUIDs |
LSASS Access Masks for Credential Dumping
| Access Mask | Meaning | Risk Level |
|---|---|---|
| 0x1FFFFF | PROCESS_ALL_ACCESS | Critical |
| 0x1F3FFF | Near-full access | Critical |
| 0x143A | Mimikatz typical access | Critical |
| 0x1F0FFF | Full minus synchronize | Critical |
| 0x0040 | PROCESS_VM_READ | High |
| 0x1010 | PROCESS_VM_READ + QUERY_INFO | High |
Protection Controls
| Control | Description | Effectiveness |
|---|---|---|
| Credential Guard | Virtualizes LSASS secrets | High -- prevents plaintext extraction |
| RunAsPPL | Protected Process Light for LSASS | Medium -- blocks unsigned callers |
| ASR Rules | Attack Surface Reduction for LSASS | Medium -- blocks common tools |
| LSASS SACL | Audit logging for LSASS access | Detection only |
| Windows Defender Credential Guard | Hardware-backed isolation | High |
Known Credential Dumping Tools
| Tool | Method | Detection Signature |
|---|---|---|
| Mimikatz | Direct LSASS read via API | sekurlsa::, lsadump:: |
| ProcDump | LSASS dump via MiniDumpWriteDump | procdump -ma lsass |
| comsvcs.dll | Built-in DLL MiniDump function | comsvcs.dll,MiniDump |
| Task Manager | GUI-based LSASS dump | taskmgr.exe accessing lsass |
| ntdsutil | IFM creation for NTDS | "ac i ntds" "ifm" |
| secretsdump.py | Remote NTDS extraction | Impacket network activity |
| LaZagne | Multi-source credential harvesting | lazagne.exe all |
workflows.md2.2 KB
Detailed Hunting Workflow - T1003 Credential Dumping
Phase 1: LSASS Memory Access Detection
Step 1.1 - Sysmon Event 10 Analysis
index=sysmon EventCode=10
| where match(TargetImage, "(?i)lsass\.exe$")
| where NOT match(SourceImage, "(?i)(csrss|lsass|svchost|MsMpEng|WmiPrvSE|SecurityHealthService|smartscreen)\.exe$")
| stats count values(GrantedAccess) as access_masks by SourceImage Computer
| sort -countStep 1.2 - EDR LSASS Alerts
AlertInfo
| where Title has_any ("LSASS", "credential", "Mimikatz")
| join AlertEvidence on AlertId
| project Timestamp, Title, DeviceName, FileName, ProcessCommandLinePhase 2: Credential Tool Detection
Step 2.1 - Known Tool Command Lines
index=sysmon EventCode=1
| where match(CommandLine, "(?i)(sekurlsa|lsadump|kerberos::list|crypto::certificates|privilege::debug)")
OR match(OriginalFileName, "(?i)mimikatz")
OR (match(CommandLine, "(?i)procdump") AND match(CommandLine, "(?i)lsass"))
OR match(CommandLine, "(?i)comsvcs.*MiniDump")
| table _time Computer User Image CommandLine HashesStep 2.2 - NTDS.dit Extraction
index=sysmon EventCode=1
| where match(CommandLine, "(?i)(vssadmin.*create\s+shadow|wmic\s+shadowcopy|ntdsutil.*ifm|esentutl.*ntds)")
| table _time Computer User CommandLine ParentImageStep 2.3 - Registry Hive Export
index=sysmon EventCode=1
| where match(CommandLine, "(?i)reg\s+(save|export)\s+hklm\\\\(sam|security|system)")
| table _time Computer User CommandLinePhase 3: Post-Dump Lateral Movement
Step 3.1 - Pass-the-Hash Detection
index=wineventlog EventCode=4624 LogonType=9
| where AuthenticationPackageName="Negotiate"
| table _time TargetUserName IpAddress WorkstationName LogonProcessNameStep 3.2 - Suspicious Remote Logons After Dump
index=wineventlog EventCode=4624 LogonType=3
| where _time > [credential_dump_timestamp]
| stats count by TargetUserName IpAddress WorkstationName
| sort -countPhase 4: Response Actions
- Isolate affected endpoints
- Reset ALL credentials that were potentially on compromised systems
- Rotate KRBTGT if domain-level compromise suspected
- Enable Credential Guard and RunAsPPL
- Deploy ASR rules for LSASS protection
Scripts 2
agent.py6.6 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Agent for detecting T1003 credential dumping via EDR telemetry analysis."""
import argparse
import json
import re
import subprocess
import sys
from datetime import datetime, timezone
LSASS_ACCESS_MASKS = {
0x1010: "PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ",
0x1FFFFF: "PROCESS_ALL_ACCESS",
0x1410: "PROCESS_QUERY_INFORMATION | PROCESS_VM_READ",
0x0040: "PROCESS_DUP_HANDLE",
}
CREDENTIAL_DUMP_TOOLS = [
"mimikatz", "procdump", "sqldumper", "comsvcs.dll",
"nanodump", "pypykatz", "lazagne", "secretsdump",
"gsecdump", "wce.exe", "fgdump", "pwdump",
"ntdsutil", "reg save hklm\\sam", "reg save hklm\\system",
]
SYSMON_EVENTS = {
1: "Process Creation",
10: "Process Access (LSASS read)",
11: "File Create (credential dump file)",
7: "Image Loaded (suspicious DLL)",
}
def check_lsass_access_sysmon():
"""Query Sysmon Event ID 10 for LSASS process access."""
findings = []
if sys.platform != "win32":
return findings
ps_cmd = (
"Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational';"
"Id=10} -MaxEvents 500 "
"| Where-Object {$_.Properties[8].Value -match 'lsass'} "
"| Select-Object TimeCreated,"
"@{N='SourceProcess';E={$_.Properties[4].Value}},"
"@{N='SourcePID';E={$_.Properties[3].Value}},"
"@{N='TargetProcess';E={$_.Properties[8].Value}},"
"@{N='GrantedAccess';E={$_.Properties[10].Value}} "
"| ConvertTo-Json -Depth 3"
)
try:
result = subprocess.check_output(
["powershell", "-NoProfile", "-Command", ps_cmd],
text=True, errors="replace", timeout=30
)
data = json.loads(result) if result.strip() else []
if not isinstance(data, list):
data = [data]
for evt in data:
source = evt.get("SourceProcess", "")
access = evt.get("GrantedAccess", "")
if not any(safe in source.lower() for safe in ["svchost", "csrss", "lsass", "wmiprvse"]):
findings.append({
"time": evt.get("TimeCreated", ""),
"source": source,
"target": evt.get("TargetProcess", ""),
"access_mask": access,
"suspicious": True,
})
except (subprocess.SubprocessError, json.JSONDecodeError):
pass
return findings
def check_credential_dump_processes():
"""Check for known credential dumping tool processes."""
findings = []
if sys.platform != "win32":
return findings
ps_cmd = (
"Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational';"
"Id=1} -MaxEvents 1000 "
"| Select-Object TimeCreated,"
"@{N='Image';E={$_.Properties[4].Value}},"
"@{N='CommandLine';E={$_.Properties[10].Value}},"
"@{N='ParentImage';E={$_.Properties[20].Value}} "
"| ConvertTo-Json -Depth 3"
)
try:
result = subprocess.check_output(
["powershell", "-NoProfile", "-Command", ps_cmd],
text=True, errors="replace", timeout=30
)
data = json.loads(result) if result.strip() else []
if not isinstance(data, list):
data = [data]
for evt in data:
cmdline = (evt.get("CommandLine", "") or "").lower()
image = (evt.get("Image", "") or "").lower()
for tool in CREDENTIAL_DUMP_TOOLS:
if tool.lower() in cmdline or tool.lower() in image:
findings.append({
"time": evt.get("TimeCreated", ""),
"image": evt.get("Image", ""),
"commandline": evt.get("CommandLine", "")[:200],
"tool_match": tool,
})
break
except (subprocess.SubprocessError, json.JSONDecodeError):
pass
return findings
def check_sam_ntds_access():
"""Check for SAM/NTDS.dit/SYSTEM registry hive access."""
findings = []
patterns = [
r"reg\s+save\s+hklm\\sam",
r"reg\s+save\s+hklm\\system",
r"reg\s+save\s+hklm\\security",
r"ntdsutil.*\"ac\s+i\s+ntds\"",
r"vssadmin.*create\s+shadow",
r"copy.*ntds\.dit",
]
if sys.platform != "win32":
return findings
ps_cmd = (
"Get-WinEvent -FilterHashtable @{LogName='Security';Id=4688} -MaxEvents 500 "
"| Select-Object TimeCreated,"
"@{N='CommandLine';E={$_.Properties[8].Value}} "
"| ConvertTo-Json"
)
try:
result = subprocess.check_output(
["powershell", "-NoProfile", "-Command", ps_cmd],
text=True, errors="replace", timeout=30
)
data = json.loads(result) if result.strip() else []
if not isinstance(data, list):
data = [data]
for evt in data:
cmdline = (evt.get("CommandLine", "") or "").lower()
for pat in patterns:
if re.search(pat, cmdline):
findings.append({
"time": evt.get("TimeCreated", ""),
"commandline": cmdline[:200],
"pattern": pat,
})
except (subprocess.SubprocessError, json.JSONDecodeError):
pass
return findings
def main():
parser = argparse.ArgumentParser(
description="Detect T1003 credential dumping via EDR telemetry"
)
parser.add_argument("--output", "-o", help="Output JSON report")
parser.add_argument("--verbose", "-v", action="store_true")
args = parser.parse_args()
print("[*] T1003 Credential Dumping Detection Agent")
report = {"timestamp": datetime.now(timezone.utc).isoformat(), "findings": {}}
lsass = check_lsass_access_sysmon()
report["findings"]["lsass_access"] = lsass
print(f"[*] Suspicious LSASS access events: {len(lsass)}")
tools = check_credential_dump_processes()
report["findings"]["dump_tools"] = tools
print(f"[*] Credential dump tool detections: {len(tools)}")
sam = check_sam_ntds_access()
report["findings"]["sam_ntds_access"] = sam
print(f"[*] SAM/NTDS access events: {len(sam)}")
total = len(lsass) + len(tools) + len(sam)
report["risk_level"] = "CRITICAL" if total >= 5 else "HIGH" if total >= 2 else "MEDIUM" if total > 0 else "LOW"
if args.output:
with open(args.output, "w") as f:
json.dump(report, f, indent=2)
print(f"[*] Report saved to {args.output}")
else:
print(json.dumps(report, indent=2))
if __name__ == "__main__":
main()
process.py5.0 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
T1003 Credential Dumping Detection Script
Analyzes EDR/Sysmon logs for LSASS access, credential tool execution,
and registry hive exports indicating credential theft.
"""
import json
import csv
import argparse
import datetime
import re
from pathlib import Path
LSASS_SUSPICIOUS_ACCESS = {"0x1fffff", "0x1f3fff", "0x143a", "0x1f0fff", "0x0040", "0x1010", "0x1410"}
LSASS_LEGITIMATE_SOURCES = {
"csrss.exe", "lsass.exe", "svchost.exe", "msmpe ng.exe", "wmiprvse.exe",
"securityhealthservice.exe", "smartscreen.exe", "taskmgr.exe",
}
CREDENTIAL_TOOL_PATTERNS = [
(r"(?i)sekurlsa", "Mimikatz_sekurlsa", "T1003.001", "CRITICAL"),
(r"(?i)lsadump", "Mimikatz_lsadump", "T1003.001", "CRITICAL"),
(r"(?i)procdump.*lsass", "ProcDump_LSASS", "T1003.001", "CRITICAL"),
(r"(?i)comsvcs.*MiniDump", "Comsvcs_MiniDump", "T1003.001", "CRITICAL"),
(r"(?i)ntdsutil.*ifm", "NTDS_IFM_Creation", "T1003.003", "CRITICAL"),
(r"(?i)vssadmin.*create\s+shadow", "VSS_Shadow_Copy", "T1003.003", "HIGH"),
(r"(?i)reg\s+(save|export)\s+hklm\\\\sam", "SAM_Hive_Export", "T1003.002", "CRITICAL"),
(r"(?i)reg\s+(save|export)\s+hklm\\\\security", "SECURITY_Hive_Export", "T1003.004", "CRITICAL"),
(r"(?i)reg\s+(save|export)\s+hklm\\\\system", "SYSTEM_Hive_Export", "T1003.002", "HIGH"),
(r"(?i)esentutl.*ntds", "NTDS_Esentutl", "T1003.003", "CRITICAL"),
(r"(?i)lazagne", "LaZagne", "T1003", "HIGH"),
]
def parse_events(input_path: str) -> list[dict]:
path = Path(input_path)
events = []
if path.suffix == ".json":
with open(path, "r", encoding="utf-8") as f:
data = json.load(f)
events = data if isinstance(data, list) else data.get("events", [])
elif path.suffix == ".csv":
with open(path, "r", encoding="utf-8-sig") as f:
events = [dict(row) for row in csv.DictReader(f)]
return events
def detect_credential_dumping(events: list[dict]) -> list[dict]:
findings = []
for event in events:
event_code = str(event.get("EventCode", event.get("EventID", "")))
computer = event.get("Computer", event.get("host", ""))
timestamp = event.get("UtcTime", event.get("_time", ""))
user = event.get("User", event.get("user", ""))
if event_code == "10":
target = event.get("TargetImage", "")
source = event.get("SourceImage", "")
access = event.get("GrantedAccess", "").lower()
if "lsass.exe" not in target.lower():
continue
source_name = source.split("\\")[-1].lower()
if source_name in LSASS_LEGITIMATE_SOURCES:
continue
if access not in LSASS_SUSPICIOUS_ACCESS:
continue
findings.append({
"timestamp": timestamp, "computer": computer, "user": user,
"detection_type": "LSASS_Access",
"source_process": source, "target": "lsass.exe",
"access_mask": access,
"technique": "T1003.001", "severity": "CRITICAL",
"description": f"{source_name} accessed LSASS with {access}",
})
elif event_code == "1":
cmdline = event.get("CommandLine", "")
image = event.get("Image", "")
for pattern, tool_name, technique, severity in CREDENTIAL_TOOL_PATTERNS:
if re.search(pattern, cmdline):
findings.append({
"timestamp": timestamp, "computer": computer, "user": user,
"detection_type": "Credential_Tool",
"tool": tool_name, "image": image,
"command_line": cmdline,
"technique": technique, "severity": severity,
"description": f"Credential dumping tool detected: {tool_name}",
})
break
return sorted(findings, key=lambda x: {"CRITICAL": 0, "HIGH": 1, "MEDIUM": 2}.get(x["severity"], 3))
def run_hunt(input_path: str, output_dir: str) -> None:
print(f"[*] T1003 Credential Dumping Hunt - {datetime.datetime.now().isoformat()}")
events = parse_events(input_path)
print(f"[*] Loaded {len(events)} events")
findings = detect_credential_dumping(events)
print(f"[!] Credential dumping detections: {len(findings)}")
output_path = Path(output_dir)
output_path.mkdir(parents=True, exist_ok=True)
with open(output_path / "credential_dumping_findings.json", "w", encoding="utf-8") as f:
json.dump({"hunt_id": f"TH-CRED-{datetime.date.today().isoformat()}",
"findings_count": len(findings), "findings": findings}, f, indent=2)
print(f"[+] Results written to {output_dir}")
def main():
parser = argparse.ArgumentParser(description="T1003 Credential Dumping Detection")
parser.add_argument("--input", "-i", required=True)
parser.add_argument("--output", "-o", default="./cred_dump_hunt_output")
args = parser.parse_args()
run_hunt(args.input, args.output)
if __name__ == "__main__":
main()
Assets 1
template.mdtext/markdown · 1.2 KBKeep exploring