detection.wiki

Detection rules › Splunk

Windows Possible Credential Dumping

Author
Michael Haag, Splunk
Source
upstream

The following analytic detects potential credential dumping by identifying specific GrantedAccess permission requests and CallTrace DLLs targeting the LSASS process. It leverages Sysmon EventCode 10 logs, focusing on access requests to lsass.exe and call traces involving debug and native API DLLs like dbgcore.dll, dbghelp.dll, and ntdll.dll. This activity is significant as credential dumping can lead to unauthorized access to sensitive credentials. If confirmed malicious, attackers could gain elevated privileges and persist within the environment, posing a severe security risk.

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1003.001 OS Credential Dumping: LSASS Memory

Event coverage

ProviderEvent IDTitle
Sysmon10ProcessAccess

Stages and Predicates

Stage 1: search

search NOT SourceUser IN ("NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SYSTEM") CallTrace IN ("*dbgcore.dll*", "*dbghelp.dll*", "*kernel32.dll*", "*kernelbase.dll*", "*ntdll.dll*") EventCode=10 TargetImage="*\\\\lsass.exe" granted_access IN ("0x01000", "0x1000", "0x1010", "0x1038", "0x1400", "0x1410", "0x1438", "0x143a", "0x1fffff", "0x40")

Stage 2: stats

stats BY CallTrace, EventID, GrantedAccess, Guid, Opcode, ProcessID, SecurityID, SourceImage, SourceProcessGUID, SourceProcessId, TargetImage, TargetProcessGUID, TargetProcessId, UserID, dest, granted_access, parent_process_exec, parent_process_guid, parent_process_id, parent_process_name, parent_process_path, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user_id, vendor_product

Stage 3: search

search

Stage 4: search

search

Stage 5: search

search `macro`

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

StageFieldKindExcluded values
1SourceUserin"NT AUTHORITY\\NETWORK SERVICE", "NT AUTHORITY\\SYSTEM"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CallTracein
  • "*dbgcore.dll*"
  • "*dbghelp.dll*"
  • "*kernel32.dll*"
  • "*kernelbase.dll*"
  • "*ntdll.dll*"
EventCodeeq
  • 10 corpus 14 (splunk 14)
TargetImageeq
  • *\\lsass.exe
granted_accessin
  • "0x01000"
  • "0x1000"
  • "0x1010"
  • "0x1038"
  • "0x1400"
  • "0x1410"
  • "0x1438"
  • "0x143a"
  • "0x1fffff" corpus 4 (splunk 4)
  • "0x40" corpus 3 (splunk 3)