T1003

OS Credential Dumping

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures. This parent technique encompasses multiple sub-techniques targeting LSASS memory, SAM database, NTDS, LSA Secrets, cached domain credentials, DCSync, the Linux /proc filesystem, and /etc/passwd and /etc/shadow files. Credential material is subsequently used for lateral movement, privilege escalation, and persistent access. Widely used by APT groups including APT32, APT39, Ember Bear, BlackByte, Tonto Team, and Mustang Panda, as well as malware families such as Mimikatz, Carbanak, MgBot, and Revenge RAT.

Microsoft Sentinel / Defender

kusto

let CredDumpTools = dynamic([
  "mimikatz", "mimilib", "mimidrv",
  "procdump", "procdump64",
  "wce.exe", "pwdump", "fgdump",
  "gsecdump", "cachedump", "lsadump",
  "secretsdump", "impacket",
  "crackmapexec", "safetydump",
  "sharpdump", "sharpkatz",
  "laZagne", "lazagne",
  "nanodump", "handlekatz"
]);
let CredDumpArgs = dynamic([
  "sekurlsa", "lsadump", "dcsync",
  "logonpasswords", "wdigest", "kerberos",
  "privilege::debug", "token::elevate",
  "lsass", "SAM", "SYSTEM", "SECURITY",
  "ntds.dit", "comsvcs", "MiniDump",
  "procdump.*lsass", "Out-Minidump",
  "pypykatz", "volatility"
]);
let SuspiciousParents = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe",
  "wscript.exe", "cscript.exe", "mshta.exe",
  "rundll32.exe", "regsvr32.exe"
]);
// Branch 1: Known credential dumping tool names
let ToolNameHits = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (CredDumpTools)
   or ProcessCommandLine has_any (CredDumpTools)
| extend DetectionBranch = "ToolName"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, DetectionBranch, SHA256;
// Branch 2: Credential dumping arguments in any process
let ArgHits = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (CredDumpArgs)
| extend DetectionBranch = "SuspiciousArgs"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, DetectionBranch, SHA256;
// Branch 3: LSASS memory access via process access events
let LsassAccess = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "ProcessAccess"
| where FileName =~ "lsass.exe"
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "svchost.exe", "csrss.exe",
         "wininit.exe", "System", "taskmgr.exe", "services.exe")
| extend DetectionBranch = "LsassAccess"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
         FileName=InitiatingProcessFileName,
         ProcessCommandLine=InitiatingProcessCommandLine,
         InitiatingProcessFileName=InitiatingProcessParentFileName,
         InitiatingProcessCommandLine="",
         InitiatingProcessParentFileName="", DetectionBranch, SHA256=InitiatingProcessSHA256;
// Branch 4: comsvcs.dll MiniDump via rundll32 targeting LSASS
let ComsvcsMinidump = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "rundll32.exe"
| where ProcessCommandLine has "comsvcs" and ProcessCommandLine has "MiniDump"
| extend DetectionBranch = "ComsvcsMinidump"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, DetectionBranch, SHA256;
// Branch 5: Registry access to credential-bearing hives
let RegistryCredHives = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any ("HKLM\\SAM", "HKLM\\SECURITY", "HKLM\\SYSTEM")
| where ActionType in ("RegistryKeyExportToFile", "RegistryValueSet")
| where InitiatingProcessFileName !in~ ("regedit.exe", "RegEdit64.exe",
         "svchost.exe", "services.exe", "System")
| extend DetectionBranch = "RegistryHiveDump"
| project Timestamp, DeviceName,
         AccountName=InitiatingProcessAccountName,
         FileName=InitiatingProcessFileName,
         ProcessCommandLine=InitiatingProcessCommandLine,
         InitiatingProcessFileName=InitiatingProcessParentFileName,
         InitiatingProcessCommandLine="",
         InitiatingProcessParentFileName="", DetectionBranch, SHA256=InitiatingProcessSHA256;
union ToolNameHits, ArgHits, LsassAccess, ComsvcsMinidump, RegistryCredHives
| summarize Branches=make_set(DetectionBranch), Count=count(),
            Commands=make_set(ProcessCommandLine),
            Earliest=min(Timestamp), Latest=max(Timestamp)
  by DeviceName, AccountName, FileName
| extend RiskScore = array_length(Branches)
| sort by RiskScore desc, Latest desc

critical severity high confidence

Data Sources

Process: Process Creation Process: Process Access File: File Access Windows Registry: Windows Registry Key Access Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceEvents DeviceRegistryEvents

False Positives

Legitimate security tools and EDR agents (CrowdStrike Falcon, Carbon Black, SentinelOne) that access LSASS for memory scanning and threat detection
Authorized penetration testing or red team exercises using Mimikatz or ProcDump against non-production systems
IT helpdesk or sysadmin tools that access SAM or SECURITY hives for backup, recovery, or password synchronization tasks
Microsoft SCCM, Intune, or backup agents that read registry hives during system state backups
Vulnerability scanning tools (Tenable Nessus, Qualys) that enumerate credential-related registry keys during credentialed scans

Splunk

spl

index=wineventlog
(
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  OR
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=10)
  OR
  (sourcetype="WinEventLog:Security" EventCode=4688)
)
| eval is_tool_name=if(
    match(lower(coalesce(Image, ProcessName, "")),
      "mimikatz|mimilib|procdump|wce\.exe|pwdump|fgdump|gsecdump|cachedump|lsadump|lazagne|nanodump|handlekatz|sharpdump|sharpkatz|safetydump"
    ), 1, 0
  )
| eval is_suspicious_args=if(
    match(lower(coalesce(CommandLine, NewProcessName, "")),
      "sekurlsa|lsadump|dcsync|logonpasswords|wdigest|privilege::debug|token::elevate|ntds\.dit|comsvcs.*minidump|out-minidump|pypykatz|volatility"
    ), 1, 0
  )
| eval is_lsass_access=if(
    (EventCode=10 AND match(lower(coalesce(TargetImage, "")), "lsass\.exe")
     AND NOT match(lower(coalesce(SourceImage, "")),
       "msmpeng|svchost|csrss|wininit|system|taskmgr|services"
     )
    ), 1, 0
  )
| eval is_comsvcs_minidump=if(
    (EventCode=1
     AND match(lower(coalesce(Image, "")), "rundll32\.exe")
     AND match(lower(coalesce(CommandLine, "")), "comsvcs")
     AND match(lower(coalesce(CommandLine, "")), "minidump")
    ), 1, 0
  )
| eval SuspicionScore = is_tool_name + is_suspicious_args + is_lsass_access + is_comsvcs_minidump
| where SuspicionScore > 0
| eval DetectionBranches=mvappend(
    if(is_tool_name=1, "ToolName", null()),
    if(is_suspicious_args=1, "SuspiciousArgs", null()),
    if(is_lsass_access=1, "LsassAccess", null()),
    if(is_comsvcs_minidump=1, "ComsvcsMinidump", null())
  )
| eval CommandLine=coalesce(CommandLine, NewProcessName, "")
| eval ProcessImage=coalesce(Image, ProcessName, "")
| eval ParentImage=coalesce(ParentImage, ParentProcessName, "")
| table _time, host, User, ProcessImage, CommandLine, ParentImage,
        is_tool_name, is_suspicious_args, is_lsass_access, is_comsvcs_minidump,
        SuspicionScore, DetectionBranches
| sort - SuspicionScore, - _time

critical severity high confidence

Data Sources

Process: Process Creation Process: Process Access Sysmon Event ID 1 Sysmon Event ID 10 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Legitimate security tools and EDR agents (CrowdStrike Falcon, Carbon Black, SentinelOne) that access LSASS for memory scanning and threat detection
Authorized penetration testing or red team exercises using Mimikatz or ProcDump against non-production systems
IT helpdesk or sysadmin tools that access SAM or SECURITY hives for backup, recovery, or password synchronization tasks
Microsoft SCCM, Intune, or backup agents that read registry hives during system state backups
Vulnerability scanning tools (Tenable Nessus, Qualys) that enumerate credential-related registry keys during credentialed scans

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  username,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Path" AS parent_process,
  logsourceid,
  LOGSOURCENAME(logsourceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 352)
  AND (
    -- Known credential dumping tool names
    LOWER("Process Name") MATCHES '.*mimikatz.*|.*mimilib.*|.*procdump.*|.*wce\.exe.*|.*pwdump.*|.*fgdump.*|.*gsecdump.*|.*cachedump.*|.*lsadump.*|.*lazagne.*|.*nanodump.*|.*handlekatz.*|.*sharpdump.*|.*sharpkatz.*|.*safetydump.*'
    OR
    -- Suspicious command-line arguments
    LOWER("Command") MATCHES '.*sekurlsa.*|.*dcsync.*|.*logonpasswords.*|.*wdigest.*|.*privilege::debug.*|.*token::elevate.*|.*ntds\.dit.*|.*out-minidump.*|.*pypykatz.*|.*volatility.*'
    OR
    -- comsvcs MiniDump via rundll32
    (LOWER("Process Name") MATCHES '.*rundll32.*'
     AND LOWER("Command") MATCHES '.*comsvcs.*'
     AND LOWER("Command") MATCHES '.*minidump.*')
    OR
    -- Windows Event 4688 process creation with cred dump indicators
    (EventID = 4688
     AND (
       LOWER(UTF8(payload, 'NewProcessName')) MATCHES '.*mimikatz.*|.*lazagne.*|.*procdump.*|.*nanodump.*'
       OR LOWER(UTF8(payload, 'CommandLine')) MATCHES '.*sekurlsa.*|.*lsadump.*|.*dcsync.*'
     )
    )
    OR
    -- Sysmon Event 10: LSASS process access from suspicious source
    (EventID = 10
     AND LOWER(UTF8(payload, 'TargetImage')) MATCHES '.*lsass\.exe'
     AND NOT LOWER(UTF8(payload, 'SourceImage')) MATCHES '.*msmpeng.*|.*svchost.*|.*csrss.*|.*wininit.*|.*taskmgr.*|.*services.*'
    )
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 500

critical severity high confidence

Data Sources

QRadar SIEM with Sysmon log source Windows Security Event Log via WinCollect Microsoft Windows Sysmon DSM

Required Tables

events

False Positives

Security vendors and EDR agents legitimately accessing LSASS for monitoring purposes
IT administrators using ProcDump during authorized debugging sessions
Vulnerability scanners or automated tooling executing with credential-related argument strings

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security" OR _sourceCategory="windows/system")
| parse field=_raw "<EventID>*</EventID>" as event_id nodrop
| parse field=_raw "<Data Name='Image'>*</Data>" as process_image nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as command_line nodrop
| parse field=_raw "<Data Name='ParentImage'>*</Data>" as parent_image nodrop
| parse field=_raw "<Data Name='TargetImage'>*</Data>" as target_image nodrop
| parse field=_raw "<Data Name='SourceImage'>*</Data>" as source_image nodrop
| parse field=_raw "<Data Name='User'>*</Data>" as user nodrop
| parse field=_raw "<Data Name='NewProcessName'>*</Data>" as new_process nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as cmd_4688 nodrop
| eval process_name = if(!isNull(process_image), process_image, new_process)
| eval cmd = if(!isNull(command_line), command_line, cmd_4688)
// Tool name detection
| eval is_tool_name = if(
    matches(toLowerCase(process_name), "mimikatz|mimilib|mimidrv|procdump|wce\.exe|pwdump|fgdump|gsecdump|cachedump|lsadump|lazagne|nanodump|handlekatz|sharpdump|sharpkatz|safetydump"),
    1, 0
  )
// Suspicious arguments
| eval is_suspicious_args = if(
    matches(toLowerCase(cmd), "sekurlsa|lsadump|dcsync|logonpasswords|wdigest|privilege::debug|token::elevate|ntds\.dit|out-minidump|pypykatz|volatility"),
    1, 0
  )
// LSASS process access (Sysmon EID 10)
| eval is_lsass_access = if(
    event_id = "10"
    AND matches(toLowerCase(target_image), "lsass\.exe")
    AND !matches(toLowerCase(source_image), "msmpeng|svchost|csrss|wininit|system|taskmgr|services"),
    1, 0
  )
// comsvcs MiniDump via rundll32
| eval is_comsvcs_minidump = if(
    matches(toLowerCase(process_name), "rundll32\.exe")
    AND matches(toLowerCase(cmd), "comsvcs")
    AND matches(toLowerCase(cmd), "minidump"),
    1, 0
  )
| eval suspicion_score = is_tool_name + is_suspicious_args + is_lsass_access + is_comsvcs_minidump
| where suspicion_score > 0
| eval detection_branches = concat(
    if(is_tool_name=1, "ToolName ", ""),
    if(is_suspicious_args=1, "SuspiciousArgs ", ""),
    if(is_lsass_access=1, "LsassAccess ", ""),
    if(is_comsvcs_minidump=1, "ComsvcsMinidump ", "")
  )
| fields _messageTime, _sourceHost, user, process_name, cmd, parent_image,
         is_tool_name, is_suspicious_args, is_lsass_access, is_comsvcs_minidump,
         suspicion_score, detection_branches
| sort by suspicion_score desc, _messageTime desc

critical severity high confidence

Data Sources

Sumo Logic Installed Collector with Sysmon source Windows Security Event Log source Sumo Logic Cloud SIEM (CSE)

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

EDR and AV agents (e.g. Defender, CrowdStrike) accessing LSASS as part of normal telemetry collection
Authorized penetration testing or red team operations with formal approval
Legitimate use of ProcDump by developers for crash dump analysis on non-LSASS targets

Google Chronicle / SecOps

yaral

rule T1003_OS_Credential_Dumping {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1003 OS Credential Dumping via known tools, suspicious arguments, LSASS access, and comsvcs MiniDump"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1003"
    severity = "CRITICAL"
    priority = "HIGH"
    version = "1.0"

  events:
    (
      // Branch 1: Known credential dumping tool names in process events
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        re.regex($e.principal.process.file.full_path,
          `(?i)(mimikatz|mimilib|mimidrv|procdump64?|wce\.exe|pwdump|fgdump|gsecdump|cachedump|lsadump|lazagne|nanodump|handlekatz|sharpdump|sharpkatz|safetydump)`)
        or
        re.regex($e.target.process.command_line,
          `(?i)(mimikatz|mimilib|procdump|wce\.exe|pwdump|fgdump|gsecdump|cachedump|lsadump|lazagne|nanodump|handlekatz|sharpdump|sharpkatz|safetydump)`)
      )
    )
    or
    (
      // Branch 2: Suspicious credential-harvesting arguments
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.target.process.command_line,
        `(?i)(sekurlsa|lsadump|dcsync|logonpasswords|wdigest|privilege::debug|token::elevate|ntds\.dit|comsvcs.*minidump|out-minidump|pypykatz|volatility)`)
    )
    or
    (
      // Branch 3: LSASS process access from unauthorized process
      $e.metadata.event_type = "PROCESS_OPEN" and
      re.regex($e.target.process.file.full_path, `(?i)lsass\.exe`) and
      not re.regex($e.principal.process.file.full_path,
        `(?i)(msmpeng|svchost|csrss|wininit|system|taskmgr|services)`)
    )
    or
    (
      // Branch 4: rundll32 + comsvcs + MiniDump (comsvcs minidump technique)
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.principal.process.file.full_path, `(?i)rundll32\.exe`) and
      re.regex($e.target.process.command_line, `(?i)comsvcs`) and
      re.regex($e.target.process.command_line, `(?i)minidump`)
    )
    or
    (
      // Branch 5: Registry access to credential hives
      $e.metadata.event_type = "REGISTRY_MODIFICATION" and
      re.regex($e.target.registry.registry_key,
        `(?i)HKLM\\(SAM|SECURITY|SYSTEM)`) and
      not re.regex($e.principal.process.file.full_path,
        `(?i)(regedit|svchost|services|system)`)
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Google Chronicle UDM Windows endpoint telemetry forwarded to Chronicle Chronicle Forwarder with Sysmon/Windows Event Log ingestion

Required Tables

UDM events (process, registry, file categories)

False Positives

Security tools and EDR agents performing LSASS reads for legitimate telemetry collection
Administrators exporting registry hives during authorized backup or recovery procedures
Penetration testers operating under a signed rules of engagement document

CrowdStrike LogScale (CQL)

cql

// Branch 1: Known credential dumping tool names (ProcessRollup2)
#event_simpleName=ProcessRollup2
| eval ImageFileName=lower(ImageFileName)
| eval CommandLine=lower(CommandLine)
| eval is_tool_name=if(
    match(ImageFileName, /mimikatz|mimilib|mimidrv|procdump|wce\.exe|pwdump|fgdump|gsecdump|cachedump|lsadump|lazagne|nanodump|handlekatz|sharpdump|sharpkatz|safetydump/),
    1, 0
  )
| eval is_suspicious_args=if(
    match(CommandLine, /sekurlsa|lsadump|dcsync|logonpasswords|wdigest|privilege::debug|token::elevate|ntds\.dit|comsvcs.*minidump|out-minidump|pypykatz|volatility/),
    1, 0
  )
| eval is_comsvcs_minidump=if(
    match(ImageFileName, /rundll32/) AND match(CommandLine, /comsvcs/) AND match(CommandLine, /minidump/),
    1, 0
  )
| eval suspicion_score=is_tool_name + is_suspicious_args + is_comsvcs_minidump
| where suspicion_score > 0
| eval detection_branches=concat(
    if(is_tool_name=1, "ToolName ", ""),
    if(is_suspicious_args=1, "SuspiciousArgs ", ""),
    if(is_comsvcs_minidump=1, "ComsvcsMinidump ", "")
  )
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine,
         ParentImageFileName, suspicion_score, detection_branches
| sort -suspicion_score, -timestamp

// Branch 2: LSASS process access (ProcessAccess - Sysmon equivalent in Falcon)
#event_simpleName=ProcessAccess
| eval TargetProcess=lower(TargetImageFileName)
| eval SourceProcess=lower(ImageFileName)
| where match(TargetProcess, /lsass\.exe/)
| where not match(SourceProcess, /msmpeng|svchost|csrss|wininit|system|taskmgr|services/)
| eval detection_branch="LsassAccess"
| table timestamp, ComputerName, UserName, ImageFileName, TargetImageFileName,
         GrantedAccess, detection_branch
| sort -timestamp

// Branch 3: Registry credential hive access
#event_simpleName=RegOpenKey
| eval RegKeyPath=lower(RegKeyPath)
| where match(RegKeyPath, /hklm\\sam|hklm\\security|hklm\\system/)
| eval CallerProcess=lower(ImageFileName)
| where not match(CallerProcess, /regedit|svchost|services|system/)
| eval detection_branch="RegistryHiveDump"
| table timestamp, ComputerName, UserName, ImageFileName, RegKeyPath, detection_branch
| sort -timestamp

critical severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon LogScale / Humio Falcon Data Replicator (FDR)

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=ProcessAccess #event_simpleName=RegOpenKey

False Positives

CrowdStrike sensor itself accessing LSASS for telemetry collection (filter by aid or ImageFileName=CSFalconService)
Windows Defender and other AV products performing memory scanning
IT operations tooling running ProcDump under change-controlled maintenance windows

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

OS Credential Dumping

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (8)

Same Tactic: Credential Access

Popular Detections