T1003 CrowdStrike LogScale · LogScale

Detect OS Credential Dumping in CrowdStrike LogScale

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures. This parent technique encompasses multiple sub-techniques targeting LSASS memory, SAM database, NTDS, LSA Secrets, cached domain credentials, DCSync, the Linux /proc filesystem, and /etc/passwd and /etc/shadow files. Credential material is subsequently used for lateral movement, privilege escalation, and persistent access. Widely used by APT groups including APT32, APT39, Ember Bear, BlackByte, Tonto Team, and Mustang Panda, as well as malware families such as Mimikatz, Carbanak, MgBot, and Revenge RAT.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1003 OS Credential Dumping
Canonical reference
https://attack.mitre.org/techniques/T1003/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Branch 1: Known credential dumping tool names (ProcessRollup2)
#event_simpleName=ProcessRollup2
| eval ImageFileName=lower(ImageFileName)
| eval CommandLine=lower(CommandLine)
| eval is_tool_name=if(
    match(ImageFileName, /mimikatz|mimilib|mimidrv|procdump|wce\.exe|pwdump|fgdump|gsecdump|cachedump|lsadump|lazagne|nanodump|handlekatz|sharpdump|sharpkatz|safetydump/),
    1, 0
  )
| eval is_suspicious_args=if(
    match(CommandLine, /sekurlsa|lsadump|dcsync|logonpasswords|wdigest|privilege::debug|token::elevate|ntds\.dit|comsvcs.*minidump|out-minidump|pypykatz|volatility/),
    1, 0
  )
| eval is_comsvcs_minidump=if(
    match(ImageFileName, /rundll32/) AND match(CommandLine, /comsvcs/) AND match(CommandLine, /minidump/),
    1, 0
  )
| eval suspicion_score=is_tool_name + is_suspicious_args + is_comsvcs_minidump
| where suspicion_score > 0
| eval detection_branches=concat(
    if(is_tool_name=1, "ToolName ", ""),
    if(is_suspicious_args=1, "SuspiciousArgs ", ""),
    if(is_comsvcs_minidump=1, "ComsvcsMinidump ", "")
  )
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine,
         ParentImageFileName, suspicion_score, detection_branches
| sort -suspicion_score, -timestamp

// Branch 2: LSASS process access (ProcessAccess - Sysmon equivalent in Falcon)
#event_simpleName=ProcessAccess
| eval TargetProcess=lower(TargetImageFileName)
| eval SourceProcess=lower(ImageFileName)
| where match(TargetProcess, /lsass\.exe/)
| where not match(SourceProcess, /msmpeng|svchost|csrss|wininit|system|taskmgr|services/)
| eval detection_branch="LsassAccess"
| table timestamp, ComputerName, UserName, ImageFileName, TargetImageFileName,
         GrantedAccess, detection_branch
| sort -timestamp

// Branch 3: Registry credential hive access
#event_simpleName=RegOpenKey
| eval RegKeyPath=lower(RegKeyPath)
| where match(RegKeyPath, /hklm\\sam|hklm\\security|hklm\\system/)
| eval CallerProcess=lower(ImageFileName)
| where not match(CallerProcess, /regedit|svchost|services|system/)
| eval detection_branch="RegistryHiveDump"
| table timestamp, ComputerName, UserName, ImageFileName, RegKeyPath, detection_branch
| sort -timestamp
critical severity high confidence

CrowdStrike LogScale (Falcon) detection for T1003 OS Credential Dumping. Three separate queries covering: ProcessRollup2 events matching known tool names and suspicious arguments (scored), ProcessAccess events targeting lsass.exe from non-whitelisted processes, and registry key open events targeting SAM/SECURITY/SYSTEM hives. Run as separate saved searches or combined with union.

Data Sources

CrowdStrike Falcon EDRFalcon LogScale / HumioFalcon Data Replicator (FDR)

Required Tables

#event_simpleName=ProcessRollup2#event_simpleName=ProcessAccess#event_simpleName=RegOpenKey

False Positives & Tuning

  • CrowdStrike sensor itself accessing LSASS for telemetry collection (filter by aid or ImageFileName=CSFalconService)
  • Windows Defender and other AV products performing memory scanning
  • IT operations tooling running ProcDump under change-controlled maintenance windows
Download portable Sigma rule (.yml)

Other platforms for T1003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mimikatz sekurlsa::logonpasswords Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'sekurlsa' and 'logonpasswords'. Security Event ID 4688 (if command line auditing enabled). PowerShell ScriptBlock Log Event ID 4104 with the simulated command content.

  2. Test 2LSASS Memory Dump via comsvcs.dll MiniDump

    Expected signal: Sysmon Event ID 1: Process Create with Image=rundll32.exe, CommandLine containing 'comsvcs.dll' and 'MiniDump'. Security Event ID 4688 with same details. The command will fail for PID 0 but process creation telemetry is generated regardless.

  3. Test 3Registry Hive Save for Offline SAM Extraction

    Expected signal: Sysmon Event ID 1: Three Process Create events with Image=reg.exe and CommandLines matching 'save HKLM\SAM', 'save HKLM\SYSTEM', and 'save HKLM\SECURITY'. Sysmon Event ID 11: File creation events for .hiv files in %TEMP%. Security Event ID 4688 for each reg.exe invocation.

  4. Test 4Linux /etc/shadow Read Attempt

    Expected signal: Linux auditd SYSCALL record with syscall=openat and path=/etc/shadow. Syslog entry showing sudo usage. If auditd is configured with a rule for -w /etc/shadow -p rwa, an AUDIT_WATCH_READ record is generated. /var/log/auth.log will show the sudo invocation.

  5. Test 5ProcDump LSASS Dump Pattern Simulation

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing 'procdump' and 'lsass'. Child process create for cmd.exe spawned by PowerShell. PowerShell ScriptBlock Log Event ID 4104 capturing the simulated command.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (8)

Related Techniques

T1003.001LSASS MemoryT1003.002Security Account ManagerT1003.003NTDST1003.004LSA SecretsT1003.005Cached Domain CredentialsT1003.006DCSyncT1003.007Proc FilesystemT1003.008/etc/passwd and /etc/shadowT1078Valid AccountsT1021.002SMB/Windows Admin SharesT1550.002Pass the HashT1558.003KerberoastingT1558.001Golden TicketT1562.001Disable or Modify ToolsT1134.001Token Impersonation/Theft

Same Tactic: Credential Access

Popular Detections