T1003 Splunk · SPL

Detect OS Credential Dumping in Splunk

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures. This parent technique encompasses multiple sub-techniques targeting LSASS memory, SAM database, NTDS, LSA Secrets, cached domain credentials, DCSync, the Linux /proc filesystem, and /etc/passwd and /etc/shadow files. Credential material is subsequently used for lateral movement, privilege escalation, and persistent access. Widely used by APT groups including APT32, APT39, Ember Bear, BlackByte, Tonto Team, and Mustang Panda, as well as malware families such as Mimikatz, Carbanak, MgBot, and Revenge RAT.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1003 OS Credential Dumping
Canonical reference
https://attack.mitre.org/techniques/T1003/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog
(
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  OR
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=10)
  OR
  (sourcetype="WinEventLog:Security" EventCode=4688)
)
| eval is_tool_name=if(
    match(lower(coalesce(Image, ProcessName, "")),
      "mimikatz|mimilib|procdump|wce\.exe|pwdump|fgdump|gsecdump|cachedump|lsadump|lazagne|nanodump|handlekatz|sharpdump|sharpkatz|safetydump"
    ), 1, 0
  )
| eval is_suspicious_args=if(
    match(lower(coalesce(CommandLine, NewProcessName, "")),
      "sekurlsa|lsadump|dcsync|logonpasswords|wdigest|privilege::debug|token::elevate|ntds\.dit|comsvcs.*minidump|out-minidump|pypykatz|volatility"
    ), 1, 0
  )
| eval is_lsass_access=if(
    (EventCode=10 AND match(lower(coalesce(TargetImage, "")), "lsass\.exe")
     AND NOT match(lower(coalesce(SourceImage, "")),
       "msmpeng|svchost|csrss|wininit|system|taskmgr|services"
     )
    ), 1, 0
  )
| eval is_comsvcs_minidump=if(
    (EventCode=1
     AND match(lower(coalesce(Image, "")), "rundll32\.exe")
     AND match(lower(coalesce(CommandLine, "")), "comsvcs")
     AND match(lower(coalesce(CommandLine, "")), "minidump")
    ), 1, 0
  )
| eval SuspicionScore = is_tool_name + is_suspicious_args + is_lsass_access + is_comsvcs_minidump
| where SuspicionScore > 0
| eval DetectionBranches=mvappend(
    if(is_tool_name=1, "ToolName", null()),
    if(is_suspicious_args=1, "SuspiciousArgs", null()),
    if(is_lsass_access=1, "LsassAccess", null()),
    if(is_comsvcs_minidump=1, "ComsvcsMinidump", null())
  )
| eval CommandLine=coalesce(CommandLine, NewProcessName, "")
| eval ProcessImage=coalesce(Image, ProcessName, "")
| eval ParentImage=coalesce(ParentImage, ParentProcessName, "")
| table _time, host, User, ProcessImage, CommandLine, ParentImage,
        is_tool_name, is_suspicious_args, is_lsass_access, is_comsvcs_minidump,
        SuspicionScore, DetectionBranches
| sort - SuspicionScore, - _time
critical severity high confidence

Multi-branch credential dumping detection using Sysmon Event ID 1 (Process Creation), Event ID 10 (Process Access), and Security Event ID 4688. Evaluates four categories: known tool binary names, suspicious credential-targeting arguments, unauthorized LSASS memory access from unexpected processes, and comsvcs.dll MiniDump invocations. A cumulative SuspicionScore drives alert prioritization — score of 2 or higher warrants immediate escalation. Field normalization handles differences between Sysmon and Security event schemas.

Data Sources

Process: Process CreationProcess: Process AccessSysmon Event ID 1Sysmon Event ID 10Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • Legitimate security tools and EDR agents (CrowdStrike Falcon, Carbon Black, SentinelOne) that access LSASS for memory scanning and threat detection
  • Authorized penetration testing or red team exercises using Mimikatz or ProcDump against non-production systems
  • IT helpdesk or sysadmin tools that access SAM or SECURITY hives for backup, recovery, or password synchronization tasks
  • Microsoft SCCM, Intune, or backup agents that read registry hives during system state backups
  • Vulnerability scanning tools (Tenable Nessus, Qualys) that enumerate credential-related registry keys during credentialed scans
Download portable Sigma rule (.yml)

Other platforms for T1003

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mimikatz sekurlsa::logonpasswords Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'sekurlsa' and 'logonpasswords'. Security Event ID 4688 (if command line auditing enabled). PowerShell ScriptBlock Log Event ID 4104 with the simulated command content.

  2. Test 2LSASS Memory Dump via comsvcs.dll MiniDump

    Expected signal: Sysmon Event ID 1: Process Create with Image=rundll32.exe, CommandLine containing 'comsvcs.dll' and 'MiniDump'. Security Event ID 4688 with same details. The command will fail for PID 0 but process creation telemetry is generated regardless.

  3. Test 3Registry Hive Save for Offline SAM Extraction

    Expected signal: Sysmon Event ID 1: Three Process Create events with Image=reg.exe and CommandLines matching 'save HKLM\SAM', 'save HKLM\SYSTEM', and 'save HKLM\SECURITY'. Sysmon Event ID 11: File creation events for .hiv files in %TEMP%. Security Event ID 4688 for each reg.exe invocation.

  4. Test 4Linux /etc/shadow Read Attempt

    Expected signal: Linux auditd SYSCALL record with syscall=openat and path=/etc/shadow. Syslog entry showing sudo usage. If auditd is configured with a rule for -w /etc/shadow -p rwa, an AUDIT_WATCH_READ record is generated. /var/log/auth.log will show the sudo invocation.

  5. Test 5ProcDump LSASS Dump Pattern Simulation

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing 'procdump' and 'lsass'. Child process create for cmd.exe spawned by PowerShell. PowerShell ScriptBlock Log Event ID 4104 capturing the simulated command.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (8)

Related Techniques

T1003.001LSASS MemoryT1003.002Security Account ManagerT1003.003NTDST1003.004LSA SecretsT1003.005Cached Domain CredentialsT1003.006DCSyncT1003.007Proc FilesystemT1003.008/etc/passwd and /etc/shadowT1078Valid AccountsT1021.002SMB/Windows Admin SharesT1550.002Pass the HashT1558.003KerberoastingT1558.001Golden TicketT1562.001Disable or Modify ToolsT1134.001Token Impersonation/Theft

Same Tactic: Credential Access

Popular Detections