OS Credential Dumping T1003
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures. Credentials can then be used to perform Lateral Movement and access restricted information.
Events covered
56 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 313 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (119 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (1731 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (447 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 158 rules
- Active Directory Replication from Non Machine Account
- APT31 Judgement Panda Activity
- Backdoor introduction via registry permission change through WMI (DAMP)
- Capture Credentials with Rpcping.exe
- Copying Sensitive Files with Credential Data
- Crash Dump Created By Operating System
- Create Volume Shadow Copy with Powershell
- CreateDump Process Dump
- Cred Dump Tools Dropped Files
- Credential Dumping Activity By Python Based Tool
- Credential Dumping Attempt Via WerFault
- Credential Dumping Tools Service Execution - Security
- Credential Dumping Tools Service Execution - System
- Critical Hive In Suspicious Location Access Bits Cleared
- Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
- Diskshadow command abuse to expose VSS backup
- DPAPI Domain Backup Key Extraction
- DPAPI Domain Master Key Backup Attempt
- Dumping of Sensitive Hives Via Reg.EXE
- Dumping Process via Sqldumper.exe
- DumpMinitool Execution
- Esentutl Gather Credentials
- Esentutl Volume Shadow Copy Service Keys
- Exchange group membership change to perform DCsync attack
- File Access Of Signal Desktop Sensitive Data
- Group Managed Service Accounts password dump - GoldenGMSA
- HackTool - CrackMapExec File Indicators
- HackTool - CrackMapExec Process Patterns
- HackTool - CreateMiniDump Execution
- HackTool - Credential Dumping Tools Named Pipe Created
- HackTool - Doppelanger LSASS Dumper Execution
- HackTool - Dumpert Process Dumper Default File
- HackTool - Dumpert Process Dumper Execution
- HackTool - Generic Process Access
- HackTool - HandleKatz Duplicating LSASS Handle
- HackTool - HandleKatz LSASS Dumper Execution
- HackTool - Impacket File Indicators
- HackTool - Inveigh Execution
- HackTool - Mimikatz Execution
- HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
- HackTool - Pypykatz Credentials Dumping Activity
- HackTool - Quarks PwDump Execution
- HackTool - QuarksPwDump Dump File
- HackTool - Rubeus Execution
- HackTool - Rubeus Execution - ScriptBlock
- HackTool - SafetyKatz Dump Indicator
- HackTool - SafetyKatz Execution
- HackTool - Windows Credential Editor (WCE) Execution
- HackTool - WSASS Execution
- HackTool - XORDump Execution
- Hacktool Execution - Imphash
- Hacktool Execution - PE Metadata
- IFM creation detected from commandline (installation from media)
- IFM detected - ESENT (installation from media)
- IIS Application Pool credential dumping
- Interesting Service Enumeration Via Sc.EXE
- Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
- Kerberos key list attack for credential dumping
- Live Memory Dump Using Powershell
- Loaded Module Enumeration Via Tasklist.EXE
- LSASS Access Detected via Attack Surface Reduction
- LSASS Access From Non System Account
- LSASS Access From Potentially White-Listed Processes
- LSASS Access From Program In Potentially Suspicious Folder
- LSASS credential dump with LSASSY (admin share)
- LSASS credential dump with LSASSY (kernel access)
- LSASS credential dump with LSASSY (PowerShell)
- LSASS credential dump with LSASSY (process)
- LSASS Dump Keyword In CommandLine
- LSASS dump via process access
- Lsass Full Dump Request Via DumpType Registry Settings
- LSASS Memory Access by Tool With Dump Keyword In Name
- Lsass Memory Dump via Comsvcs DLL
- LSASS Process Crashed - Application
- LSASS Process Dump Artefact In CrashDumps Folder
- LSASS process dump by a non system account
- LSASS Process Memory Dump Creation Via Taskmgr.EXE
- LSASS Process Memory Dump Files
- Microsoft IIS Connection Strings Decryption
- Microsoft IIS Service Account Password Dumped
- Mimikatz DC Sync
- Mimikatz malicious Security package (SSP) exfiltrates cleartext passwords in file
- NetSYnc attack
- New Generic Credentials Added Via Cmdkey.EXE
- NotPetya Ransomware Activity
- NTDS Exfiltration Filename Patterns
- NTDS.DIT Created
- NTDS.DIT Creation By Uncommon Parent Process
- NTDS.DIT Creation By Uncommon Process
- Ntdsutil Abuse
- Password Dumper Activity on LSASS
- Password Dumper Remote Thread in LSASS
- Possible Impacket SecretDump Remote Activity
- Potential Adplus.EXE Abuse
- Potential Credential Dumping Activity Via LSASS
- Potential Credential Dumping Attempt Using New NetworkProvider - CLI
- Potential Credential Dumping Attempt Using New NetworkProvider - REG
- Potential Credential Dumping Attempt Via PowerShell
- Potential Credential Dumping Attempt Via PowerShell Remote Thread
- Potential Credential Dumping Via LSASS Process Clone
- Potential Credential Dumping Via LSASS SilentProcessExit Technique
- Potential Credential Dumping Via WER
- Potential Exploitation of CVE-2025-5054 or CVE-2025-4598
- Potential Invoke-Mimikatz PowerShell Script
- Potential LSASS Process Dump Via Procdump
- Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
- Potential Russian APT Credential Theft Activity
- Potential SAM Database Dump
- Potential SAM database user credentials dumped with DCshadow
- Potential SysInternals ProcDump Evasion
- Potential Windows Defender AV Bypass Via Dump64.EXE Rename
- Potentially Suspicious AccessMask Requested From LSASS
- Potentially Suspicious GrantedAccess Flags On LSASS
- Potentially Suspicious ODBC Driver Registered
- PowerShell Get-Process LSASS in ScriptBlock
- PowerShell SAM Copy
- PPL Tampering Via WerFaultSecure
- Procdump Execution
- Process Access via TrolleyExpress Exclusion
- Process Memory Dump Via Comsvcs.DLL
- Process Memory Dump via RdrLeakDiag.EXE
- PUA - DIT Snapshot Viewer
- PUA - Memory Dump Mount Via MemProcFS
- Remote LSASS Process Access Through Windows Remote Management
- Renamed CreateDump Utility Execution
- Replication privileges accessed to perform DCSync attack
- SAM database user credentials dump with Mimikatz
- Secretdump password dumping via SMB admin share
- Sensitive File Dump Via Print.EXE
- Sensitive File Dump Via Wbadmin.EXE
- Sensitive File Recovery From Backup Via Wbadmin.EXE
- Shadow Copies Creation Using Operating Systems Utilities
- Suspicious DumpMinitool Execution
- Suspicious Get-ADDBAccount Usage
- Suspicious Get-ADReplAccount
- Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
- Suspicious LSASS Access Via MalSecLogon
- Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
- Suspicious Process Patterns NTDS.DIT Exfil
- Suspicious Renamed Comsvcs DLL Loaded By Rundll32
- Suspicious SYSTEM User Process Creation
- Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
- Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
- Task Manager access indicator for potential LSASS dump
- Task Manager used for LSASS dump (kernel)
- Time Travel Debugging Utility Usage
- Time Travel Debugging Utility Usage - Image
- Transferring Files with Credential Data via Network Shares
- Uncommon GrantedAccess Flags On LSASS
- Unsigned Image Loaded Into LSASS Process
- Volume Shadow Copy Mount
- VolumeShadowCopy Symlink Creation Via Mklink
- VSSAudit Security Event Source Registration
- WCE wceaux.dll Access
- Wdigest authentication enabled (Reg via command)
- Wdigest authentication enabled (registry)
- WerFault LSASS Process Memory Dump
- Windows Credential Editor Registry
Elastic 37 rules
- Access to a Sensitive LDAP Attribute
- Credential Acquisition via Registry Hive Dumping
- Disabling Lsa Protection via Registry Modification
- First Time Seen Account Performing DCSync
- Full User-Mode Dumps Enabled System-Wide
- Kirbi File Creation
- LSASS Memory Dump Handle Access
- Memory Dump File with Unusual Extension
- Microsoft IIS Connection Strings Decryption
- Microsoft IIS Service Account Password Dumped
- Modification of WDigest Security Provider
- Multiple Vault Web Credentials Read
- NTDS Dump via Wbadmin
- NTDS or SAM Database File Copied
- Potential Active Directory Replication Account Backdoor
- Potential Credential Access via DCSync
- Potential Credential Access via DuplicateHandle in LSASS
- Potential Credential Access via LSASS Memory Dump
- Potential Credential Access via Memory Dump File Creation
- Potential Credential Access via Renamed COM+ Services DLL
- Potential Credential Access via Trusted Developer Utility
- Potential Credential Access via Windows Utilities
- Potential LSASS Clone Creation via PssCaptureSnapShot
- Potential LSASS Memory Dump via PssCaptureSnapShot
- Potential Remote Credential Access via Registry
- Potential Veeam Credential Access Command
- Searching for Saved Credentials via VaultCmd
- Suspicious Execution via Windows Subsystem for Linux
- Suspicious LSASS Access via MalSecLogon
- Suspicious Lsass Process Access
- Suspicious Module Loaded by LSASS
- Suspicious Remote Registry Access via SeBackupPrivilege
- Symbolic Link to Shadow Copy Created
- Untrusted DLL Loaded by Azure AD Connect Authentication Agent
- Veeam Backup Library Loaded by Unusual Process
- Windows Registry File Creation in SMB Share
- Wireless Credential Dumping using Netsh Command
Splunk 84 rules
- Access LSASS Memory for Dump Creation
- ADExplorer Execution (Sysmon)
- ADExplorer Execution (Windows Event Log)
- ADExplorer Snapshot Creation (Sysmon)
- ADExplorer Snapshot Creation (Windows Event Log)
- Attacker Tools On Endpoint
- Browser Credential File Accessed - Windows (Windows Event Log)
- Command Line lsass request (PowerShell)
- Command Line lsass request (Sysmon)
- Command Line lsass request (Windows Event Log)
- Common LSASS Memory Dump Behavior (Windows Event Log)
- comsvcs.dll Lsass Memory Dump (Sysmon)
- comsvcs.dll Lsass Memory Dump (Windows Event Log)
- Create Remote Thread into LSASS
- Creation of lsass Dump with Taskmgr
- Creation of Shadow Copy
- Creation of Shadow Copy with wmic and powershell
- Credential Dumping via Copy Command from Shadow Copy
- Credential Dumping via Symlink to Shadow Copy
- Detect Copy of ShadowCopy with Script Block Logging
- Detect Credential Dumping through LSASS access
- Detect Mimikatz With PowerShell Script Block Logging
- Dump File Identified (PowerShell)
- Dump File Identified (Sysmon)
- Dump File Identified (Windows Event Log)
- Dump LSASS via comsvcs DLL
- Dump LSASS via procdump
- Enable WDigest UseLogonCredential Registry
- Esentutl Execution (PowerShell)
- Esentutl Execution (Sysmon)
- Esentutl Execution (Windows Event Log)
- Esentutl SAM Copy
- Excessive DRSGetNCChanges Requests (Windows Event Log)
- LSASS Handle request (Windows Event Log)
- Mimikatz (Sysmon)
- Mimikatz (Windows Event Log)
- Mimikatz Execution (Windows Event Log)
- MultiDump.exe Execution (Sysmon)
- MultiDump.exe Execution (Windows Event Log)
- ntds.dit Access from Unexpected Location (Sysmon)
- ntds.dit Access from Unexpected Location (Windows Event Log)
- ntds.dit Command Line (PowerShell)
- ntds.dit Command Line (Sysmon)
- ntds.dit Command Line (Windows Event Log)
- Ntdsutil Export NTDS
- NTDSUtil.exe execution (Sysmon)
- NTDSUtil.exe execution (Windows Event Log)
- PetitPotam Suspicious Kerberos TGT Request
- Possible Credential Dumping via Windows Network Providers (PowerShell)
- Possible Credential Dumping via Windows Network Providers (Windows Event Log)
- Potential Credential Dumping of LSASS (Windows Event Log)
- Potential DCSync (Windows Event Log)
- Potential nanodump execution (Windows Event Log)
- ProcDump Credential Harvest (Sysmon)
- ProcDump Credential Harvest (Windows Event Log)
- pypykatz commands (Windows Event Log)
- RdrLeakDiag.exe Memory Dump (PowerShell)
- RdrLeakDiag.exe Memory Dump (Sysmon)
- RdrLeakDiag.exe Memory Dump (Windows Event Log)
- SAM Database File Access Attempt
- SAM, System, Security Files Accessed (Windows Event Log)
- SecretDumps Offline NTDS Dumping Tool
- SecretsDump Credential Harvest (Windows Event Log)
- Shadow Copy Created (Windows Event Log)
- Suspicious ntds.dit Commands (PowerShell)
- Suspicious ntds.dit Commands (Sysmon)
- Suspicious ntds.dit Commands (Windows Event Log)
- Task Manager lsass Dump (Windows Event Log)
- WDigest Forced Credential Caching (PowerShell)
- WDigest Forced Credential Caching (Sysmon)
- WDigest Forced Credential Caching (Windows Event Log)
- Windows AD Replication Request Initiated by User Account
- Windows AD Replication Request Initiated from Unsanctioned Location
- Windows Cached Domain Credentials Reg Query
- Windows Credential Dumping LSASS Memory Createdump
- Windows Hunting System Account Targeting Lsass
- Windows LAPS Password Gathering Via PowerShell Script
- Windows LSA Secrets NoLMhash Registry
- Windows Mimikatz Binary Execution
- Windows Non-System Account Targeting Lsass
- Windows Possible Credential Dumping
- Windows Rapid Authentication On Multiple Hosts
- Windows Remote Access Software BRC4 Loaded Dll
- Windows Sensitive Registry Hive Dump Via CommandLine
Kusto 13 rules
- Credential Dumping Tools - File Artifacts
- Credential Dumping Tools - Service Installation
- Dev-0228 File Path Hashes November 2021
- Dev-0228 File Path Hashes November 2021 (ASIM Version)
- DopplePaymer Procdump
- Dumping LSASS Process Into a File
- LaZagne Credential Theft
- LSASS Credential Dumping with Procdump
- LSASS Dumping using Debug Privileges
- Non Domain Controller Active Directory Replication
- Powershell Empire Cmdlets Executed in Command Line
- PRT Credential Stealing
- WDigest downgrade attack
YARA-L 21 rules
- CreateDump Process Dump
- Cred Dump Tools Dropped Files
- Credential Dumping Attempt Via WerFault
- HackTool - Dumpert Process Dumper Default File
- HackTool - Dumpert Process Dumper Execution
- HackTool - Generic Process Access
- HackTool - Mimikatz Execution
- LSASS Dump Keyword In CommandLine
- LSASS Memory Access by Tool With Dump Keyword In Name
- Lsass Memory Dump via Comsvcs DLL
- LSASS Process Memory Dump Creation Via Taskmgr.exe
- LSASS Process Memory Dump Files
- MITRE ATT&CK T1003 RW Mimikatz
- MITRE ATT&CK T1003.003 RW Utilities Associated With Ntds.dit
- MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report
- Potential Credential Dumping Activity Via LSASS
- Potential Credential Dumping Via LSASS SilentProcessExit Technique
- potential lsass process dump via procdump
- Process Memory Dump Via Comsvcs.DLL
- Process Memory Dump via RdrLeakDiag.exe
- Renamed CreateDump Utility Execution