Detecting Credential Dumping with EDR
When to Use
- When hunting for post-exploitation credential theft in compromised environments
- After detecting suspicious LSASS process access in EDR alerts
- When investigating potential Active Directory compromise
- During incident response to determine scope of credential exposure
- When proactively hunting for T1003 sub-techniques across endpoints
Prerequisites
- EDR platform with process access monitoring (CrowdStrike, MDE, SentinelOne)
- Sysmon deployed with Event ID 10 (Process Access) configured for LSASS
- Windows Security Event Log 4688 with command-line auditing enabled
- Active Directory event forwarding for DCSync detection (Event ID 4662)
- Windows Security Event Log 4656/4663 for SAM registry access
Workflow
- Identify Credential Dumping Vectors: Map the T1003 sub-techniques relevant to your environment (LSASS Memory, SAM, NTDS, DCSync, /etc/passwd, Cached Credentials).
- Query LSASS Access Events: Search for Sysmon Event ID 10 where TargetImage is lsass.exe with suspicious GrantedAccess masks (0x1010, 0x1038, 0x1FFFFF).
- Analyze Process Context: Examine the source process accessing LSASS - legitimate security tools vs. unknown or suspicious binaries.
- Hunt for SAM/NTDS Access: Query for reg.exe save operations against SAM/SECURITY/SYSTEM hives and ntdsutil/vssadmin shadow copy access.
- Detect DCSync Activity: Monitor for DS-Replication-Get-Changes requests from non-domain-controller sources (Event ID 4662).
- Correlate with Network Activity: Cross-reference credential dumping with subsequent lateral movement or authentication anomalies.
- Assess Impact and Report: Determine which credentials were potentially exposed and recommend password resets and containment.
Key Concepts
| Concept | Description |
|---|---|
| T1003 | OS Credential Dumping - parent technique |
| T1003.001 | LSASS Memory - dumping credentials from LSASS process |
| T1003.002 | Security Account Manager (SAM) - extracting local password hashes |
| T1003.003 | NTDS - extracting AD database from Domain Controllers |
| T1003.004 | LSA Secrets - accessing stored service credentials |
| T1003.005 | Cached Domain Credentials (DCC2) |
| T1003.006 | DCSync - replicating AD credentials via DRSUAPI |
| LSASS | Local Security Authority Subsystem Service |
| GrantedAccess | Bitmask indicating the access rights requested for a process |
| Minidump | Memory dump technique used by tools like comsvcs.dll |
Tools & Systems
| Tool | Purpose |
|---|---|
| CrowdStrike Falcon | LSASS access detection and process tree analysis |
| Microsoft Defender for Endpoint | Advanced hunting for credential access events |
| Sysmon | Process access monitoring (Event ID 10) |
| Velociraptor | Endpoint artifact collection for LSASS analysis |
| Elastic Security | Correlation of credential dumping indicators |
| Splunk | SPL queries for credential access event analysis |
| Volatility | Memory forensics for LSASS credential extraction |
Common Scenarios
- Mimikatz LSASS Dump: Attacker runs
sekurlsa::logonpasswordscausing direct LSASS memory read with GrantedAccess 0x1010. - Comsvcs.dll MiniDump: Process uses
rundll32.exe comsvcs.dll MiniDump [LSASS PID]to create LSASS memory dump file. - ProcDump LSASS: Attacker uses Microsoft-signed procdump.exe with
-ma lsass.exeto dump LSASS memory. - SAM Registry Export: Adversary runs
reg save HKLM\SAM sam.bakto extract local password hashes. - DCSync Replication: Compromised account with Replicating Directory Changes permissions performs DCSync from a workstation.
- NTDS Shadow Copy: Attacker uses
vssadmin create shadow /for=C:then copies ntds.dit from the shadow copy.
Output Format
Hunt ID: TH-CRED-DUMP-[DATE]-[SEQ]
Technique: T1003.[Sub-technique]
Source Process: [Process accessing LSASS/SAM/NTDS]
Target: [lsass.exe / SAM / NTDS.dit / DC Replication]
Host: [Hostname]
User: [Account context]
GrantedAccess: [Access mask if applicable]
Timestamp: [UTC]
Risk Level: [Critical/High/Medium/Low]
Evidence: [Log entries, process tree, network activity]
Recommended Action: [Password reset scope, containment steps]Verification Criteria
Confirm successful execution by validating:
- [ ] All prerequisite tools and access requirements are satisfied
- [ ] Each workflow step completed without errors
- [ ] Output matches expected format and contains expected data
- [ ] No security warnings or misconfigurations detected
- [ ] Results are documented and evidence is preserved for audit
Compliance Framework Mapping
This skill supports compliance evidence collection across multiple frameworks:
- SOC 2: CC7.2 (Anomaly Detection), CC7.3 (Incident Identification)
- ISO 27001: A.12.4 (Logging & Monitoring), A.16.1 (Security Incident Management)
- NIST 800-53: SI-4 (System Monitoring), IR-4 (Incident Handling), RA-5 (Vulnerability Scanning)
- NIST CSF: DE.AE (Anomalies & Events), DE.CM (Continuous Monitoring), DE.DP (Detection Processes)
Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.
Deploying This Skill with Claw GRC
Agent Execution
Register this skill with your Claw GRC agent for automated execution:
# Install via CLI
npx claw-grc skills add detecting-credential-dumping-with-edr
# Or load dynamically via MCP
grc.load_skill("detecting-credential-dumping-with-edr")Audit Trail Integration
When executed through Claw GRC, every step of this skill generates tamper-evident audit records:
- SHA-256 chain hashing ensures no step can be modified after execution
- Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
- Trust score impact — successful execution increases your agent's trust score
Continuous Compliance
Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.