Detecting Credential Dumping with EDR
When to Use
- When hunting for post-exploitation credential theft in compromised environments
- After detecting suspicious LSASS process access in EDR alerts
- When investigating potential Active Directory compromise
- During incident response to determine scope of credential exposure
- When proactively hunting for T1003 sub-techniques across endpoints
Prerequisites
- EDR platform with process access monitoring (CrowdStrike, MDE, SentinelOne)
- Sysmon deployed with Event ID 10 (Process Access) configured for LSASS
- Windows Security Event Log 4688 with command-line auditing enabled
- Active Directory event forwarding for DCSync detection (Event ID 4662)
- Windows Security Event Log 4656/4663 for SAM registry access
Workflow
-
Identify Credential Dumping Vectors: Map the T1003 sub-techniques relevant to your environment (LSASS Memory, SAM, NTDS, DCSync, /etc/passwd, Cached Credentials).
-
Query LSASS Access Events: Search for Sysmon Event ID 10 where TargetImage is lsass.exe with suspicious GrantedAccess masks (0x1010, 0x1038, 0x1FFFFF).
-
Analyze Process Context: Examine the source process accessing LSASS - legitimate security tools vs. unknown or suspicious binaries.
-
Hunt for SAM/NTDS Access: Query for reg.exe save operations against SAM/SECURITY/SYSTEM hives and ntdsutil/vssadmin shadow copy access.
-
Detect DCSync Activity: Monitor for DS-Replication-Get-Changes requests from non-domain-controller sources (Event ID 4662).
-
Correlate with Network Activity: Cross-reference credential dumping with subsequent lateral movement or authentication anomalies.
-
Assess Impact and Report: Determine which credentials were potentially exposed and recommend password resets and containment.
Key Concepts
| Concept |
Description |
| T1003 |
OS Credential Dumping - parent technique |
| T1003.001 |
LSASS Memory - dumping credentials from LSASS process |
| T1003.002 |
Security Account Manager (SAM) - extracting local password hashes |
| T1003.003 |
NTDS - extracting AD database from Domain Controllers |
| T1003.004 |
LSA Secrets - accessing stored service credentials |
| T1003.005 |
Cached Domain Credentials (DCC2) |
| T1003.006 |
DCSync - replicating AD credentials via DRSUAPI |
| LSASS |
Local Security Authority Subsystem Service |
| GrantedAccess |
Bitmask indicating the access rights requested for a process |
| Minidump |
Memory dump technique used by tools like comsvcs.dll |
Tools & Systems
| Tool |
Purpose |
| CrowdStrike Falcon |
LSASS access detection and process tree analysis |
| Microsoft Defender for Endpoint |
Advanced hunting for credential access events |
| Sysmon |
Process access monitoring (Event ID 10) |
| Velociraptor |
Endpoint artifact collection for LSASS analysis |
| Elastic Security |
Correlation of credential dumping indicators |
| Splunk |
SPL queries for credential access event analysis |
| Volatility |
Memory forensics for LSASS credential extraction |
Common Scenarios
-
Mimikatz LSASS Dump: Attacker runs
sekurlsa::logonpasswords causing direct LSASS memory read with GrantedAccess 0x1010.
-
Comsvcs.dll MiniDump: Process uses
rundll32.exe comsvcs.dll MiniDump [LSASS PID] to create LSASS memory dump file.
-
ProcDump LSASS: Attacker uses Microsoft-signed procdump.exe with
-ma lsass.exe to dump LSASS memory.
-
SAM Registry Export: Adversary runs
reg save HKLM\SAM sam.bak to extract local password hashes.
-
DCSync Replication: Compromised account with Replicating Directory Changes permissions performs DCSync from a workstation.
-
NTDS Shadow Copy: Attacker uses
vssadmin create shadow /for=C: then copies ntds.dit from the shadow copy.
Output Format
Hunt ID: TH-CRED-DUMP-[DATE]-[SEQ]
Technique: T1003.[Sub-technique]
Source Process: [Process accessing LSASS/SAM/NTDS]
Target: [lsass.exe / SAM / NTDS.dit / DC Replication]
Host: [Hostname]
User: [Account context]
GrantedAccess: [Access mask if applicable]
Timestamp: [UTC]
Risk Level: [Critical/High/Medium/Low]
Evidence: [Log entries, process tree, network activity]
Recommended Action: [Password reset scope, containment steps]
