T1003 Elastic Security · Elastic

Detect OS Credential Dumping in Elastic Security

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures. This parent technique encompasses multiple sub-techniques targeting LSASS memory, SAM database, NTDS, LSA Secrets, cached domain credentials, DCSync, the Linux /proc filesystem, and /etc/passwd and /etc/shadow files. Credential material is subsequently used for lateral movement, privilege escalation, and persistent access. Widely used by APT groups including APT32, APT39, Ember Bear, BlackByte, Tonto Team, and Mustang Panda, as well as malware families such as Mimikatz, Carbanak, MgBot, and Revenge RAT.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1003 OS Credential Dumping
Canonical reference
https://attack.mitre.org/techniques/T1003/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
  [process where event.type == "start" and (
    process.name : ("mimikatz.exe","mimilib.exe","mimidrv.exe","procdump.exe","procdump64.exe","wce.exe","pwdump.exe","fgdump.exe","gsecdump.exe","cachedump.exe","lsadump.exe","lazagne.exe","nanodump.exe","handlekatz.exe","sharpdump.exe","sharpkatz.exe","safetydump.exe") or
    process.command_line : ("*sekurlsa*","*lsadump*","*dcsync*","*logonpasswords*","*wdigest*","*privilege::debug*","*token::elevate*","*ntds.dit*","*comsvcs*MiniDump*","*Out-Minidump*","*pypykatz*","*volatility*","*procdump*lsass*")
  )] by process.entity_id
| [process where event.type == "start"] by process.parent.entity_id

OR

sequence by host.name with maxspan=1m
  [process where event.type == "start" and
    process.name : "rundll32.exe" and
    process.command_line : "*comsvcs*" and
    process.command_line : "*MiniDump*"
  ]

OR

any where event.category == "process" and event.action == "accessed" and
  process.name : "lsass.exe" and
  not ?
  {
    winlog.event_data.SourceImage : ("MsMpEng.exe","svchost.exe","csrss.exe","wininit.exe","System","taskmgr.exe","services.exe")
  }
critical severity high confidence

Detects OS credential dumping (T1003) via known tool names, suspicious credential-harvesting command-line arguments, LSASS process access, comsvcs.dll MiniDump abuse, and registry hive exports. Covers Mimikatz, ProcDump, LaZagne, nanodump, DCSync, and in-memory techniques.

Data Sources

Elastic Endpoint SecurityWinlogbeat with SysmonElastic Agent with Windows integration

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*winlogbeat-*logs-windows.*

False Positives & Tuning

  • Legitimate system administrators using ProcDump for debugging non-LSASS processes
  • Security tools such as CrowdStrike or Carbon Black accessing LSASS for EDR telemetry
  • Authorized red team or penetration testing engagements using Mimikatz under change control
Download portable Sigma rule (.yml)

Other platforms for T1003

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mimikatz sekurlsa::logonpasswords Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'sekurlsa' and 'logonpasswords'. Security Event ID 4688 (if command line auditing enabled). PowerShell ScriptBlock Log Event ID 4104 with the simulated command content.

  2. Test 2LSASS Memory Dump via comsvcs.dll MiniDump

    Expected signal: Sysmon Event ID 1: Process Create with Image=rundll32.exe, CommandLine containing 'comsvcs.dll' and 'MiniDump'. Security Event ID 4688 with same details. The command will fail for PID 0 but process creation telemetry is generated regardless.

  3. Test 3Registry Hive Save for Offline SAM Extraction

    Expected signal: Sysmon Event ID 1: Three Process Create events with Image=reg.exe and CommandLines matching 'save HKLM\SAM', 'save HKLM\SYSTEM', and 'save HKLM\SECURITY'. Sysmon Event ID 11: File creation events for .hiv files in %TEMP%. Security Event ID 4688 for each reg.exe invocation.

  4. Test 4Linux /etc/shadow Read Attempt

    Expected signal: Linux auditd SYSCALL record with syscall=openat and path=/etc/shadow. Syslog entry showing sudo usage. If auditd is configured with a rule for -w /etc/shadow -p rwa, an AUDIT_WATCH_READ record is generated. /var/log/auth.log will show the sudo invocation.

  5. Test 5ProcDump LSASS Dump Pattern Simulation

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing 'procdump' and 'lsass'. Child process create for cmd.exe spawned by PowerShell. PowerShell ScriptBlock Log Event ID 4104 capturing the simulated command.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (8)

Related Techniques

T1003.001LSASS MemoryT1003.002Security Account ManagerT1003.003NTDST1003.004LSA SecretsT1003.005Cached Domain CredentialsT1003.006DCSyncT1003.007Proc FilesystemT1003.008/etc/passwd and /etc/shadowT1078Valid AccountsT1021.002SMB/Windows Admin SharesT1550.002Pass the HashT1558.003KerberoastingT1558.001Golden TicketT1562.001Disable or Modify ToolsT1134.001Token Impersonation/Theft

Same Tactic: Credential Access

Popular Detections