T1003.005 Cached Domain Credentials Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let CachedCredDump = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
    "lsadump::cache", "cachedump", "ms-cache", "mscache",
    "cas_dump", "cachedump"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
let LSACacheRegistry = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has @"SECURITY\Cache"
    or RegistryKey has @"SECURITY\Policy\Secrets\NL$"
| where InitiatingProcessFileName !in~ ("lsass.exe", "svchost.exe", "services.exe")
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey,
          InitiatingProcessFileName, InitiatingProcessCommandLine;
let LaZagneCached = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("lazagne.exe", "cachedump.exe", "fgdump.exe", "gsecdump.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
let LinuxSSSDAccess = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has "/var/lib/sss/db/"
    or FolderPath has "/var/opt/quest/vas/authcache/"
| where ActionType in ("FileAccessed", "FileCopied")
| where InitiatingProcessFileName !in~ ("sssd", "sssd_nss", "sssd_pam")
| project Timestamp, DeviceName, FolderPath, FileName, ActionType, InitiatingProcessFileName;
union CachedCredDump, LSACacheRegistry, LaZagneCached, LinuxSSSDAccess
| sort by Timestamp desc

high severity high confidence

Data Sources

Windows Registry: Registry Key Access Process: Process Creation File: File Access Command: Command Execution

Required Tables

DeviceProcessEvents DeviceRegistryEvents DeviceFileEvents

False Positives

Security auditing tools inventorying cached credentials as part of authorized security assessments
Incident response tooling that reads SECURITY\Cache for forensic purposes during authorized investigations
Enterprise password auditing solutions scanning cached credential strength
Backup agents with SYSTEM privileges reading SECURITY hive including Cache key

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval IsCachedDump=case(
    match(lower(CommandLine), "lsadump::cache|cachedump|mscache"), 1,
    match(lower(Image), "(lazagne|cachedump|fgdump|gsecdump)\.exe"), 1,
    1==1, 0
  )
| where IsCachedDump=1
| table _time, host, Image, CommandLine, User
| sort - _time
| append
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=12 OR EventCode=13)
   (TargetObject="*\\SECURITY\\Cache*" OR TargetObject="*\\SECURITY\\Policy\\Secrets\\NL$*")
   NOT (Image="*\\lsass.exe" OR Image="*\\svchost.exe" OR Image="*\\services.exe")
  | table _time, host, TargetObject, Image, User]

high severity high confidence

Data Sources

Process: Process Creation Windows Registry: Registry Key Access Sysmon Event ID 1 Sysmon Event ID 12

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Security tools reading the cache count value to audit security settings
LSASS itself reading Cache during domain authentication attempts
EDR agents inspecting the cache registry key for security posture assessment
Authorized penetration testing with documented scope

Elastic Security (EQL)

eql

any where
(
  (event.category == "process" and event.type == "start" and
    (
      process.command_line like~ "*lsadump::cache*" or
      process.command_line like~ "*cachedump*" or
      process.command_line like~ "*mscache*" or
      process.command_line like~ "*ms-cache*" or
      process.name like~ "lazagne.exe" or
      process.name like~ "cachedump.exe" or
      process.name like~ "fgdump.exe" or
      process.name like~ "gsecdump.exe"
    )
  ) or
  (event.category == "registry" and
    (
      registry.path like "*\\SECURITY\\Cache*" or
      registry.path like "*\\SECURITY\\Policy\\Secrets\\NL$*"
    ) and
    not process.name in ("lsass.exe", "svchost.exe", "services.exe")
  ) or
  (event.category == "file" and
    (
      file.path like "/var/lib/sss/db/*" or
      file.path like "/var/opt/quest/vas/authcache/*"
    ) and
    event.action in ("opened", "read") and
    not process.name in ("sssd", "sssd_nss", "sssd_pam")
  )
)

critical severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Auditbeat (Linux)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Legitimate IT security scanning tools (Tenable, Qualys, CyberArk) that enumerate credential stores during authorized audits
SSSD daemon itself or PAM modules accessing /var/lib/sss/db/ during normal authentication operations — mitigate by tuning process.name exclusions
Forensic or IR tools such as FTK or Velociraptor collecting registry artifacts during an authorized incident investigation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name,
  "EventID",
  "CommandLine",
  "Image",
  "TargetObject",
  logsourcename(logsourceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 14, 352)
  AND (
    (
      "EventID" = '1'
      AND (
        LOWER("CommandLine") ILIKE '%lsadump::cache%'
        OR LOWER("CommandLine") ILIKE '%cachedump%'
        OR LOWER("CommandLine") ILIKE '%mscache%'
        OR LOWER("CommandLine") ILIKE '%ms-cache%'
        OR LOWER("Image") ILIKE '%lazagne.exe'
        OR LOWER("Image") ILIKE '%cachedump.exe'
        OR LOWER("Image") ILIKE '%fgdump.exe'
        OR LOWER("Image") ILIKE '%gsecdump.exe'
      )
    )
    OR (
      "EventID" IN ('12', '13', '14')
      AND (
        "TargetObject" ILIKE '%\SECURITY\Cache%'
        OR "TargetObject" ILIKE '%\SECURITY\Policy\Secrets\NL$%'
      )
      AND "Image" NOT ILIKE '%lsass.exe'
      AND "Image" NOT ILIKE '%svchost.exe'
      AND "Image" NOT ILIKE '%services.exe'
    )
    OR (
      "EventID" = '11'
      AND (
        "TargetFilename" ILIKE '/var/lib/sss/db/%'
        OR "TargetFilename" ILIKE '/var/opt/quest/vas/authcache/%'
      )
      AND "Image" NOT ILIKE '%sssd%'
    )
  )
LAST 24 HOURS
ORDER BY starttime DESC

critical severity high confidence

Data Sources

Microsoft Windows Sysmon (via QRadar DSM) QRadar Windows Security Event Log DSM Linux Syslog DSM

Required Tables

events

False Positives

Domain backup agents (e.g., Veeam, Commvault) that enumerate SECURITY hive keys during system state backups — whitelist by known backup service account usernames
Authorized red team or penetration testing engagements using Mimikatz or LaZagne — correlate with change management records
Security information gathering scripts by IT operations running cachedump-style tooling during vulnerability assessments — verify against approved tools list

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="os/windows/sysmon")
| parse xml field=_raw "*" as xml_data nodrop
| parse field=_raw "<EventID>*</EventID>" as event_id nodrop
| parse field=_raw "<Data Name='Image'>*</Data>" as process_image nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as command_line nodrop
| parse field=_raw "<Data Name='TargetObject'>*</Data>" as target_object nodrop
| parse field=_raw "<Data Name='TargetFilename'>*</Data>" as target_filename nodrop
| parse field=_raw "<Data Name='User'>*</Data>" as user nodrop
| parse field=_raw "<Data Name='Computer'>*</Data>" as computer nodrop
| where (
    (
      event_id = "1"
      and (
        matches(toLowerCase(command_line), ".*lsadump::cache.*")
        or matches(toLowerCase(command_line), ".*cachedump.*")
        or matches(toLowerCase(command_line), ".*mscache.*")
        or matches(toLowerCase(command_line), ".*ms-cache.*")
        or matches(toLowerCase(process_image), ".*(lazagne|cachedump|fgdump|gsecdump)\.exe")
      )
    )
    or (
      event_id in ("12", "13", "14")
      and (
        matches(target_object, ".*\\\\SECURITY\\\\Cache.*")
        or matches(target_object, ".*\\\\SECURITY\\\\Policy\\\\Secrets\\\\NL\$.*")
      )
      and !matches(toLowerCase(process_image), ".*(lsass|svchost|services)\.exe")
    )
    or (
      event_id = "11"
      and (
        matches(target_filename, "/var/lib/sss/db/.*")
        or matches(target_filename, "/var/opt/quest/vas/authcache/.*")
      )
      and !matches(toLowerCase(process_image), ".*sssd.*")
    )
  )
| eval detection_type = if(event_id = "1", "Process-CredDumpTool",
    if(event_id in ("12","13","14"), "Registry-LSACache", "File-SSSDCache"))
| fields _messageTime, computer, user, process_image, command_line, target_object, target_filename, detection_type, event_id
| sort by _messageTime desc

critical severity high confidence

Data Sources

Windows Sysmon logs via Sumo Logic collector Linux syslog via Sumo Logic installed collector

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=os/windows/sysmon

False Positives

Enterprise endpoint management platforms (Microsoft SCCM, Tanium) performing registry enumeration during inventory scans — add known management process names to exclusion list
Windows credential roaming or Credential Manager synchronization processes that legitimately access SECURITY hive subkeys
Security compliance scanning tools (CIS-CAT, SCAP) checking LSA configuration — identify by scan schedule and source IP correlation

Google Chronicle / SecOps

yaral

rule t1003_005_cached_domain_credentials {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects access to cached domain credentials (DCC2/MS-Cache v2) via credential dumping tools, LSA cache registry access, or SSSD cache file access on Linux."
    mitre_attack_technique = "T1003.005"
    mitre_attack_tactic = "Credential Access"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1003/005/"
    version = "1.0"

  events:
    (
      // Pattern 1: Known credential dumping tool process execution
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.target.process.command_line, `(?i)(lsadump::cache|cachedump|mscache|ms-cache)`) or
        re.regex($e1.target.process.file.full_path, `(?i)(lazagne|cachedump|fgdump|gsecdump)\.exe`)
      )
    )
    or
    (
      // Pattern 2: Non-system process accessing LSA cache registry keys
      $e1.metadata.event_type = "REGISTRY_READ"
      and (
        re.regex($e1.target.registry.registry_key, `(?i)\\SECURITY\\Cache`) or
        re.regex($e1.target.registry.registry_key, `(?i)\\SECURITY\\Policy\\Secrets\\NL\$`)
      )
      and not re.regex($e1.principal.process.file.full_path, `(?i)(lsass|svchost|services)\.exe$`)
    )
    or
    (
      // Pattern 3: Unauthorized access to Linux SSSD credential cache
      $e1.metadata.event_type = "FILE_OPEN"
      and (
        re.regex($e1.target.file.full_path, `/var/lib/sss/db/`) or
        re.regex($e1.target.file.full_path, `/var/opt/quest/vas/authcache/`)
      )
      and not re.regex($e1.principal.process.file.full_path, `sssd`)
    )

  condition:
    $e1
}

critical severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Windows Sysmon via Chronicle forwarder Linux auditd via Chronicle forwarder Microsoft Defender for Endpoint via Chronicle integration

Required Tables

UDM Events (PROCESS_LAUNCH, REGISTRY_READ, FILE_OPEN)

False Positives

Privileged access workstation (PAW) management solutions that inventory LSA configuration as part of hardening compliance checks — whitelist by known PAW management service accounts
SSSD daemon child processes (sssd_be, sssd_sudo) that may appear under unexpected parent processes during authentication failures or cache rebuild operations
Authorized penetration testing using Mimikatz with lsadump::cache — correlate with approved pentest window and source host

CrowdStrike LogScale (CQL)

cql

// T1003.005 - Cached Domain Credentials Detection
// Pattern 1: Known credential dumping tool execution
#event_simpleName = ProcessRollup2
| CommandLine = /(?i)(lsadump::cache|cachedump|mscache|ms-cache)/ OR ImageFileName = /(?i)(lazagne|cachedump|fgdump|gsecdump)\.exe/
| eval DetectionType = "CredDumpTool"
| table _time, ComputerName, UserName, ImageFileName, CommandLine, DetectionType

// Pattern 2: Registry access to LSA cache hive by suspicious processes  
| union
  [ #event_simpleName = RegGenericValueUpdate OR #event_simpleName = RegValueUpdate
  | RegObjectName = /\\SECURITY\\Cache|\\SECURITY\\Policy\\Secrets\\NL\$/
  | ImageFileName != /(?i)(lsass|svchost|services)\.exe$/
  | eval DetectionType = "LSARegistryAccess"
  | table _time, ComputerName, UserName, ImageFileName, RegObjectName, DetectionType ]

// Pattern 3: File access to SSSD credential cache (Linux endpoints)
| union
  [ #event_simpleName = SyntheticProcessRollup2 OR #event_simpleName = PlatformEvent
  | TargetFileName = /\/var\/lib\/sss\/db\/|\/var\/opt\/quest\/vas\/authcache\//
  | ImageFileName != /sssd/
  | eval DetectionType = "SSSDCacheAccess"
  | table _time, ComputerName, UserName, ImageFileName, TargetFileName, DetectionType ]

| groupBy([ComputerName, UserName, DetectionType], function=[collect([ImageFileName, CommandLine, RegObjectName, TargetFileName]), count(as=EventCount)])
| sort -EventCount

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint (EDR) Falcon sensor process telemetry Falcon sensor registry event telemetry Falcon sensor file event telemetry (Linux)

Required Tables

ProcessRollup2 RegGenericValueUpdate RegValueUpdate SyntheticProcessRollup2

False Positives

CrowdStrike Falcon's own sensor performing registry integrity checks on LSA hive — the sensor process itself may query SECURITY\Cache during behavioral monitoring; Falcon's own exclusions should handle this
Active Directory migration tools (ADMT, Quest Migration Manager) that legitimately read cached credential counts from SECURITY\Cache to validate domain migration readiness
Helpdesk or IT automation scripts using gsecdump or similar tools during authorized password reset or credential verification workflows — correlate with IT ticketing system

Cached Domain Credentials

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections