T1003 Microsoft Sentinel · KQL

Detect OS Credential Dumping in Microsoft Sentinel

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures. This parent technique encompasses multiple sub-techniques targeting LSASS memory, SAM database, NTDS, LSA Secrets, cached domain credentials, DCSync, the Linux /proc filesystem, and /etc/passwd and /etc/shadow files. Credential material is subsequently used for lateral movement, privilege escalation, and persistent access. Widely used by APT groups including APT32, APT39, Ember Bear, BlackByte, Tonto Team, and Mustang Panda, as well as malware families such as Mimikatz, Carbanak, MgBot, and Revenge RAT.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1003 OS Credential Dumping
Canonical reference
https://attack.mitre.org/techniques/T1003/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let CredDumpTools = dynamic([
  "mimikatz", "mimilib", "mimidrv",
  "procdump", "procdump64",
  "wce.exe", "pwdump", "fgdump",
  "gsecdump", "cachedump", "lsadump",
  "secretsdump", "impacket",
  "crackmapexec", "safetydump",
  "sharpdump", "sharpkatz",
  "laZagne", "lazagne",
  "nanodump", "handlekatz"
]);
let CredDumpArgs = dynamic([
  "sekurlsa", "lsadump", "dcsync",
  "logonpasswords", "wdigest", "kerberos",
  "privilege::debug", "token::elevate",
  "lsass", "SAM", "SYSTEM", "SECURITY",
  "ntds.dit", "comsvcs", "MiniDump",
  "procdump.*lsass", "Out-Minidump",
  "pypykatz", "volatility"
]);
let SuspiciousParents = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe",
  "wscript.exe", "cscript.exe", "mshta.exe",
  "rundll32.exe", "regsvr32.exe"
]);
// Branch 1: Known credential dumping tool names
let ToolNameHits = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (CredDumpTools)
   or ProcessCommandLine has_any (CredDumpTools)
| extend DetectionBranch = "ToolName"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, DetectionBranch, SHA256;
// Branch 2: Credential dumping arguments in any process
let ArgHits = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (CredDumpArgs)
| extend DetectionBranch = "SuspiciousArgs"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, DetectionBranch, SHA256;
// Branch 3: LSASS memory access via process access events
let LsassAccess = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "ProcessAccess"
| where FileName =~ "lsass.exe"
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "svchost.exe", "csrss.exe",
         "wininit.exe", "System", "taskmgr.exe", "services.exe")
| extend DetectionBranch = "LsassAccess"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
         FileName=InitiatingProcessFileName,
         ProcessCommandLine=InitiatingProcessCommandLine,
         InitiatingProcessFileName=InitiatingProcessParentFileName,
         InitiatingProcessCommandLine="",
         InitiatingProcessParentFileName="", DetectionBranch, SHA256=InitiatingProcessSHA256;
// Branch 4: comsvcs.dll MiniDump via rundll32 targeting LSASS
let ComsvcsMinidump = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "rundll32.exe"
| where ProcessCommandLine has "comsvcs" and ProcessCommandLine has "MiniDump"
| extend DetectionBranch = "ComsvcsMinidump"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, DetectionBranch, SHA256;
// Branch 5: Registry access to credential-bearing hives
let RegistryCredHives = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any ("HKLM\\SAM", "HKLM\\SECURITY", "HKLM\\SYSTEM")
| where ActionType in ("RegistryKeyExportToFile", "RegistryValueSet")
| where InitiatingProcessFileName !in~ ("regedit.exe", "RegEdit64.exe",
         "svchost.exe", "services.exe", "System")
| extend DetectionBranch = "RegistryHiveDump"
| project Timestamp, DeviceName,
         AccountName=InitiatingProcessAccountName,
         FileName=InitiatingProcessFileName,
         ProcessCommandLine=InitiatingProcessCommandLine,
         InitiatingProcessFileName=InitiatingProcessParentFileName,
         InitiatingProcessCommandLine="",
         InitiatingProcessParentFileName="", DetectionBranch, SHA256=InitiatingProcessSHA256;
union ToolNameHits, ArgHits, LsassAccess, ComsvcsMinidump, RegistryCredHives
| summarize Branches=make_set(DetectionBranch), Count=count(),
            Commands=make_set(ProcessCommandLine),
            Earliest=min(Timestamp), Latest=max(Timestamp)
  by DeviceName, AccountName, FileName
| extend RiskScore = array_length(Branches)
| sort by RiskScore desc, Latest desc
critical severity high confidence

Broad credential dumping detection across five branches: known tool name/binary execution (Mimikatz, ProcDump, LaZagne, etc.), suspicious credential-targeting arguments in any process command line (sekurlsa, lsadump, dcsync), LSASS process memory access from unexpected initiators, comsvcs.dll MiniDump patterns targeting LSASS via rundll32, and unauthorized registry exports of credential-bearing hives (SAM, SECURITY, SYSTEM). Results are grouped by device, account, and filename with a RiskScore indicating how many distinct branches fired — multi-branch matches are highest priority.

Data Sources

Process: Process CreationProcess: Process AccessFile: File AccessWindows Registry: Windows Registry Key AccessMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceEventsDeviceRegistryEvents

False Positives & Tuning

  • Legitimate security tools and EDR agents (CrowdStrike Falcon, Carbon Black, SentinelOne) that access LSASS for memory scanning and threat detection
  • Authorized penetration testing or red team exercises using Mimikatz or ProcDump against non-production systems
  • IT helpdesk or sysadmin tools that access SAM or SECURITY hives for backup, recovery, or password synchronization tasks
  • Microsoft SCCM, Intune, or backup agents that read registry hives during system state backups
  • Vulnerability scanning tools (Tenable Nessus, Qualys) that enumerate credential-related registry keys during credentialed scans
Download portable Sigma rule (.yml)

Other platforms for T1003

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mimikatz sekurlsa::logonpasswords Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'sekurlsa' and 'logonpasswords'. Security Event ID 4688 (if command line auditing enabled). PowerShell ScriptBlock Log Event ID 4104 with the simulated command content.

  2. Test 2LSASS Memory Dump via comsvcs.dll MiniDump

    Expected signal: Sysmon Event ID 1: Process Create with Image=rundll32.exe, CommandLine containing 'comsvcs.dll' and 'MiniDump'. Security Event ID 4688 with same details. The command will fail for PID 0 but process creation telemetry is generated regardless.

  3. Test 3Registry Hive Save for Offline SAM Extraction

    Expected signal: Sysmon Event ID 1: Three Process Create events with Image=reg.exe and CommandLines matching 'save HKLM\SAM', 'save HKLM\SYSTEM', and 'save HKLM\SECURITY'. Sysmon Event ID 11: File creation events for .hiv files in %TEMP%. Security Event ID 4688 for each reg.exe invocation.

  4. Test 4Linux /etc/shadow Read Attempt

    Expected signal: Linux auditd SYSCALL record with syscall=openat and path=/etc/shadow. Syslog entry showing sudo usage. If auditd is configured with a rule for -w /etc/shadow -p rwa, an AUDIT_WATCH_READ record is generated. /var/log/auth.log will show the sudo invocation.

  5. Test 5ProcDump LSASS Dump Pattern Simulation

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing 'procdump' and 'lsass'. Child process create for cmd.exe spawned by PowerShell. PowerShell ScriptBlock Log Event ID 4104 capturing the simulated command.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (8)

Related Techniques

T1003.001LSASS MemoryT1003.002Security Account ManagerT1003.003NTDST1003.004LSA SecretsT1003.005Cached Domain CredentialsT1003.006DCSyncT1003.007Proc FilesystemT1003.008/etc/passwd and /etc/shadowT1078Valid AccountsT1021.002SMB/Windows Admin SharesT1550.002Pass the HashT1558.003KerberoastingT1558.001Golden TicketT1562.001Disable or Modify ToolsT1134.001Token Impersonation/Theft

Same Tactic: Credential Access

Popular Detections