Detect OS Credential Dumping in IBM QRadar
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures. This parent technique encompasses multiple sub-techniques targeting LSASS memory, SAM database, NTDS, LSA Secrets, cached domain credentials, DCSync, the Linux /proc filesystem, and /etc/passwd and /etc/shadow files. Credential material is subsequently used for lateral movement, privilege escalation, and persistent access. Widely used by APT groups including APT32, APT39, Ember Bear, BlackByte, Tonto Team, and Mustang Panda, as well as malware families such as Mimikatz, Carbanak, MgBot, and Revenge RAT.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1003 OS Credential Dumping
- Canonical reference
- https://attack.mitre.org/techniques/T1003/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
sourceip,
destinationip,
username,
QIDNAME(qid) AS event_name,
CATEGORYNAME(category) AS category_name,
"Process Name" AS process_name,
"Command" AS command_line,
"Parent Process Path" AS parent_process,
logsourceid,
LOGSOURCENAME(logsourceid) AS log_source
FROM events
WHERE
LOGSOURCETYPEID(logsourceid) IN (12, 13, 352)
AND (
-- Known credential dumping tool names
LOWER("Process Name") MATCHES '.*mimikatz.*|.*mimilib.*|.*procdump.*|.*wce\.exe.*|.*pwdump.*|.*fgdump.*|.*gsecdump.*|.*cachedump.*|.*lsadump.*|.*lazagne.*|.*nanodump.*|.*handlekatz.*|.*sharpdump.*|.*sharpkatz.*|.*safetydump.*'
OR
-- Suspicious command-line arguments
LOWER("Command") MATCHES '.*sekurlsa.*|.*dcsync.*|.*logonpasswords.*|.*wdigest.*|.*privilege::debug.*|.*token::elevate.*|.*ntds\.dit.*|.*out-minidump.*|.*pypykatz.*|.*volatility.*'
OR
-- comsvcs MiniDump via rundll32
(LOWER("Process Name") MATCHES '.*rundll32.*'
AND LOWER("Command") MATCHES '.*comsvcs.*'
AND LOWER("Command") MATCHES '.*minidump.*')
OR
-- Windows Event 4688 process creation with cred dump indicators
(EventID = 4688
AND (
LOWER(UTF8(payload, 'NewProcessName')) MATCHES '.*mimikatz.*|.*lazagne.*|.*procdump.*|.*nanodump.*'
OR LOWER(UTF8(payload, 'CommandLine')) MATCHES '.*sekurlsa.*|.*lsadump.*|.*dcsync.*'
)
)
OR
-- Sysmon Event 10: LSASS process access from suspicious source
(EventID = 10
AND LOWER(UTF8(payload, 'TargetImage')) MATCHES '.*lsass\.exe'
AND NOT LOWER(UTF8(payload, 'SourceImage')) MATCHES '.*msmpeng.*|.*svchost.*|.*csrss.*|.*wininit.*|.*taskmgr.*|.*services.*'
)
)
AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 500AQL detection for T1003 OS Credential Dumping covering known tool names in process events (Sysmon EventID 1, Security 4688), suspicious arguments for DCSync/sekurlsa/wdigest, LSASS memory access (Sysmon 10), and comsvcs.dll MiniDump abuse via rundll32.
Data Sources
Required Tables
False Positives & Tuning
- Security vendors and EDR agents legitimately accessing LSASS for monitoring purposes
- IT administrators using ProcDump during authorized debugging sessions
- Vulnerability scanners or automated tooling executing with credential-related argument strings
Other platforms for T1003
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Mimikatz sekurlsa::logonpasswords Simulation
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'sekurlsa' and 'logonpasswords'. Security Event ID 4688 (if command line auditing enabled). PowerShell ScriptBlock Log Event ID 4104 with the simulated command content.
- Test 2LSASS Memory Dump via comsvcs.dll MiniDump
Expected signal: Sysmon Event ID 1: Process Create with Image=rundll32.exe, CommandLine containing 'comsvcs.dll' and 'MiniDump'. Security Event ID 4688 with same details. The command will fail for PID 0 but process creation telemetry is generated regardless.
- Test 3Registry Hive Save for Offline SAM Extraction
Expected signal: Sysmon Event ID 1: Three Process Create events with Image=reg.exe and CommandLines matching 'save HKLM\SAM', 'save HKLM\SYSTEM', and 'save HKLM\SECURITY'. Sysmon Event ID 11: File creation events for .hiv files in %TEMP%. Security Event ID 4688 for each reg.exe invocation.
- Test 4Linux /etc/shadow Read Attempt
Expected signal: Linux auditd SYSCALL record with syscall=openat and path=/etc/shadow. Syslog entry showing sudo usage. If auditd is configured with a rule for -w /etc/shadow -p rwa, an AUDIT_WATCH_READ record is generated. /var/log/auth.log will show the sudo invocation.
- Test 5ProcDump LSASS Dump Pattern Simulation
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing 'procdump' and 'lsass'. Child process create for cmd.exe spawned by PowerShell. PowerShell ScriptBlock Log Event ID 4104 capturing the simulated command.
References (12)
- https://attack.mitre.org/techniques/T1003/
- https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
- https://adsecurity.org/?p=1729
- https://github.com/gentilkiwi/mimikatz
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/credential_access
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping
- https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
- https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
- https://www.mandiant.com/resources/blog/detecting-mimikatz-in-your-environment
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/mimikatz.htm
- https://www.cybereason.com/blog/the-anatomy-of-mimikatz
Unlock Pro Content
Get the full detection package for T1003 including response playbook, investigation guide, and atomic red team tests.