T1003 Google Chronicle · YARA-L

Detect OS Credential Dumping in Google Chronicle

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures. This parent technique encompasses multiple sub-techniques targeting LSASS memory, SAM database, NTDS, LSA Secrets, cached domain credentials, DCSync, the Linux /proc filesystem, and /etc/passwd and /etc/shadow files. Credential material is subsequently used for lateral movement, privilege escalation, and persistent access. Widely used by APT groups including APT32, APT39, Ember Bear, BlackByte, Tonto Team, and Mustang Panda, as well as malware families such as Mimikatz, Carbanak, MgBot, and Revenge RAT.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1003 OS Credential Dumping
Canonical reference
https://attack.mitre.org/techniques/T1003/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule T1003_OS_Credential_Dumping {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1003 OS Credential Dumping via known tools, suspicious arguments, LSASS access, and comsvcs MiniDump"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1003"
    severity = "CRITICAL"
    priority = "HIGH"
    version = "1.0"

  events:
    (
      // Branch 1: Known credential dumping tool names in process events
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        re.regex($e.principal.process.file.full_path,
          `(?i)(mimikatz|mimilib|mimidrv|procdump64?|wce\.exe|pwdump|fgdump|gsecdump|cachedump|lsadump|lazagne|nanodump|handlekatz|sharpdump|sharpkatz|safetydump)`)
        or
        re.regex($e.target.process.command_line,
          `(?i)(mimikatz|mimilib|procdump|wce\.exe|pwdump|fgdump|gsecdump|cachedump|lsadump|lazagne|nanodump|handlekatz|sharpdump|sharpkatz|safetydump)`)
      )
    )
    or
    (
      // Branch 2: Suspicious credential-harvesting arguments
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.target.process.command_line,
        `(?i)(sekurlsa|lsadump|dcsync|logonpasswords|wdigest|privilege::debug|token::elevate|ntds\.dit|comsvcs.*minidump|out-minidump|pypykatz|volatility)`)
    )
    or
    (
      // Branch 3: LSASS process access from unauthorized process
      $e.metadata.event_type = "PROCESS_OPEN" and
      re.regex($e.target.process.file.full_path, `(?i)lsass\.exe`) and
      not re.regex($e.principal.process.file.full_path,
        `(?i)(msmpeng|svchost|csrss|wininit|system|taskmgr|services)`)
    )
    or
    (
      // Branch 4: rundll32 + comsvcs + MiniDump (comsvcs minidump technique)
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.principal.process.file.full_path, `(?i)rundll32\.exe`) and
      re.regex($e.target.process.command_line, `(?i)comsvcs`) and
      re.regex($e.target.process.command_line, `(?i)minidump`)
    )
    or
    (
      // Branch 5: Registry access to credential hives
      $e.metadata.event_type = "REGISTRY_MODIFICATION" and
      re.regex($e.target.registry.registry_key,
        `(?i)HKLM\\(SAM|SECURITY|SYSTEM)`) and
      not re.regex($e.principal.process.file.full_path,
        `(?i)(regedit|svchost|services|system)`)
    )

  condition:
    $e
}
critical severity high confidence

Chronicle YARA-L 2.0 rule detecting T1003 OS Credential Dumping across five behavioral branches: known tool name execution, credential-harvesting CLI arguments, LSASS memory access from non-system processes, comsvcs.dll MiniDump via rundll32, and unauthorized registry hive access to SAM/SECURITY/SYSTEM.

Data Sources

Google Chronicle UDMWindows endpoint telemetry forwarded to ChronicleChronicle Forwarder with Sysmon/Windows Event Log ingestion

Required Tables

UDM events (process, registry, file categories)

False Positives & Tuning

  • Security tools and EDR agents performing LSASS reads for legitimate telemetry collection
  • Administrators exporting registry hives during authorized backup or recovery procedures
  • Penetration testers operating under a signed rules of engagement document
Download portable Sigma rule (.yml)

Other platforms for T1003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mimikatz sekurlsa::logonpasswords Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'sekurlsa' and 'logonpasswords'. Security Event ID 4688 (if command line auditing enabled). PowerShell ScriptBlock Log Event ID 4104 with the simulated command content.

  2. Test 2LSASS Memory Dump via comsvcs.dll MiniDump

    Expected signal: Sysmon Event ID 1: Process Create with Image=rundll32.exe, CommandLine containing 'comsvcs.dll' and 'MiniDump'. Security Event ID 4688 with same details. The command will fail for PID 0 but process creation telemetry is generated regardless.

  3. Test 3Registry Hive Save for Offline SAM Extraction

    Expected signal: Sysmon Event ID 1: Three Process Create events with Image=reg.exe and CommandLines matching 'save HKLM\SAM', 'save HKLM\SYSTEM', and 'save HKLM\SECURITY'. Sysmon Event ID 11: File creation events for .hiv files in %TEMP%. Security Event ID 4688 for each reg.exe invocation.

  4. Test 4Linux /etc/shadow Read Attempt

    Expected signal: Linux auditd SYSCALL record with syscall=openat and path=/etc/shadow. Syslog entry showing sudo usage. If auditd is configured with a rule for -w /etc/shadow -p rwa, an AUDIT_WATCH_READ record is generated. /var/log/auth.log will show the sudo invocation.

  5. Test 5ProcDump LSASS Dump Pattern Simulation

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing 'procdump' and 'lsass'. Child process create for cmd.exe spawned by PowerShell. PowerShell ScriptBlock Log Event ID 4104 capturing the simulated command.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (8)

Related Techniques

T1003.001LSASS MemoryT1003.002Security Account ManagerT1003.003NTDST1003.004LSA SecretsT1003.005Cached Domain CredentialsT1003.006DCSyncT1003.007Proc FilesystemT1003.008/etc/passwd and /etc/shadowT1078Valid AccountsT1021.002SMB/Windows Admin SharesT1550.002Pass the HashT1558.003KerberoastingT1558.001Golden TicketT1562.001Disable or Modify ToolsT1134.001Token Impersonation/Theft

Same Tactic: Credential Access

Popular Detections