T1003 Sumo Logic CSE · Sumo

Detect OS Credential Dumping in Sumo Logic CSE

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures. This parent technique encompasses multiple sub-techniques targeting LSASS memory, SAM database, NTDS, LSA Secrets, cached domain credentials, DCSync, the Linux /proc filesystem, and /etc/passwd and /etc/shadow files. Credential material is subsequently used for lateral movement, privilege escalation, and persistent access. Widely used by APT groups including APT32, APT39, Ember Bear, BlackByte, Tonto Team, and Mustang Panda, as well as malware families such as Mimikatz, Carbanak, MgBot, and Revenge RAT.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1003 OS Credential Dumping
Canonical reference
https://attack.mitre.org/techniques/T1003/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security" OR _sourceCategory="windows/system")
| parse field=_raw "<EventID>*</EventID>" as event_id nodrop
| parse field=_raw "<Data Name='Image'>*</Data>" as process_image nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as command_line nodrop
| parse field=_raw "<Data Name='ParentImage'>*</Data>" as parent_image nodrop
| parse field=_raw "<Data Name='TargetImage'>*</Data>" as target_image nodrop
| parse field=_raw "<Data Name='SourceImage'>*</Data>" as source_image nodrop
| parse field=_raw "<Data Name='User'>*</Data>" as user nodrop
| parse field=_raw "<Data Name='NewProcessName'>*</Data>" as new_process nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as cmd_4688 nodrop
| eval process_name = if(!isNull(process_image), process_image, new_process)
| eval cmd = if(!isNull(command_line), command_line, cmd_4688)
// Tool name detection
| eval is_tool_name = if(
    matches(toLowerCase(process_name), "mimikatz|mimilib|mimidrv|procdump|wce\.exe|pwdump|fgdump|gsecdump|cachedump|lsadump|lazagne|nanodump|handlekatz|sharpdump|sharpkatz|safetydump"),
    1, 0
  )
// Suspicious arguments
| eval is_suspicious_args = if(
    matches(toLowerCase(cmd), "sekurlsa|lsadump|dcsync|logonpasswords|wdigest|privilege::debug|token::elevate|ntds\.dit|out-minidump|pypykatz|volatility"),
    1, 0
  )
// LSASS process access (Sysmon EID 10)
| eval is_lsass_access = if(
    event_id = "10"
    AND matches(toLowerCase(target_image), "lsass\.exe")
    AND !matches(toLowerCase(source_image), "msmpeng|svchost|csrss|wininit|system|taskmgr|services"),
    1, 0
  )
// comsvcs MiniDump via rundll32
| eval is_comsvcs_minidump = if(
    matches(toLowerCase(process_name), "rundll32\.exe")
    AND matches(toLowerCase(cmd), "comsvcs")
    AND matches(toLowerCase(cmd), "minidump"),
    1, 0
  )
| eval suspicion_score = is_tool_name + is_suspicious_args + is_lsass_access + is_comsvcs_minidump
| where suspicion_score > 0
| eval detection_branches = concat(
    if(is_tool_name=1, "ToolName ", ""),
    if(is_suspicious_args=1, "SuspiciousArgs ", ""),
    if(is_lsass_access=1, "LsassAccess ", ""),
    if(is_comsvcs_minidump=1, "ComsvcsMinidump ", "")
  )
| fields _messageTime, _sourceHost, user, process_name, cmd, parent_image,
         is_tool_name, is_suspicious_args, is_lsass_access, is_comsvcs_minidump,
         suspicion_score, detection_branches
| sort by suspicion_score desc, _messageTime desc
critical severity high confidence

Sumo Logic detection for T1003 OS Credential Dumping. Parses Sysmon (EID 1, 10) and Security (EID 4688) events to identify known tool names, credential-harvesting arguments, LSASS process access, and comsvcs.dll MiniDump execution. Scored multi-branch approach matching KQL/SPL logic.

Data Sources

Sumo Logic Installed Collector with Sysmon sourceWindows Security Event Log sourceSumo Logic Cloud SIEM (CSE)

Required Tables

_sourceCategory=windows/sysmon_sourceCategory=windows/security

False Positives & Tuning

  • EDR and AV agents (e.g. Defender, CrowdStrike) accessing LSASS as part of normal telemetry collection
  • Authorized penetration testing or red team operations with formal approval
  • Legitimate use of ProcDump by developers for crash dump analysis on non-LSASS targets
Download portable Sigma rule (.yml)

Other platforms for T1003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mimikatz sekurlsa::logonpasswords Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'sekurlsa' and 'logonpasswords'. Security Event ID 4688 (if command line auditing enabled). PowerShell ScriptBlock Log Event ID 4104 with the simulated command content.

  2. Test 2LSASS Memory Dump via comsvcs.dll MiniDump

    Expected signal: Sysmon Event ID 1: Process Create with Image=rundll32.exe, CommandLine containing 'comsvcs.dll' and 'MiniDump'. Security Event ID 4688 with same details. The command will fail for PID 0 but process creation telemetry is generated regardless.

  3. Test 3Registry Hive Save for Offline SAM Extraction

    Expected signal: Sysmon Event ID 1: Three Process Create events with Image=reg.exe and CommandLines matching 'save HKLM\SAM', 'save HKLM\SYSTEM', and 'save HKLM\SECURITY'. Sysmon Event ID 11: File creation events for .hiv files in %TEMP%. Security Event ID 4688 for each reg.exe invocation.

  4. Test 4Linux /etc/shadow Read Attempt

    Expected signal: Linux auditd SYSCALL record with syscall=openat and path=/etc/shadow. Syslog entry showing sudo usage. If auditd is configured with a rule for -w /etc/shadow -p rwa, an AUDIT_WATCH_READ record is generated. /var/log/auth.log will show the sudo invocation.

  5. Test 5ProcDump LSASS Dump Pattern Simulation

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing 'procdump' and 'lsass'. Child process create for cmd.exe spawned by PowerShell. PowerShell ScriptBlock Log Event ID 4104 capturing the simulated command.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (8)

Related Techniques

T1003.001LSASS MemoryT1003.002Security Account ManagerT1003.003NTDST1003.004LSA SecretsT1003.005Cached Domain CredentialsT1003.006DCSyncT1003.007Proc FilesystemT1003.008/etc/passwd and /etc/shadowT1078Valid AccountsT1021.002SMB/Windows Admin SharesT1550.002Pass the HashT1558.003KerberoastingT1558.001Golden TicketT1562.001Disable or Modify ToolsT1134.001Token Impersonation/Theft

Same Tactic: Credential Access

Popular Detections