Detecting Credential Dumping with EDR

When to Use

• When hunting for post-exploitation credential theft in compromised environments
• After detecting suspicious LSASS process access in EDR alerts
• When investigating potential Active Directory compromise
• During incident response to determine scope of credential exposure
• When proactively hunting for T1003 sub-techniques across endpoints

Prerequisites

• EDR platform with process access monitoring (CrowdStrike, MDE, SentinelOne)
• Sysmon deployed with Event ID 10 (Process Access) configured for LSASS
• Windows Security Event Log 4688 with command-line auditing enabled
• Active Directory event forwarding for DCSync detection (Event ID 4662)
• Windows Security Event Log 4656/4663 for SAM registry access

Workflow

1. Identify Credential Dumping Vectors: Map the T1003 sub-techniques relevant to your environment (LSASS Memory, SAM, NTDS, DCSync, /etc/passwd, Cached Credentials).
2. Query LSASS Access Events: Search for Sysmon Event ID 10 where TargetImage is lsass.exe with suspicious GrantedAccess masks (0x1010, 0x1038, 0x1FFFFF).
3. Analyze Process Context: Examine the source process accessing LSASS - legitimate security tools vs. unknown or suspicious binaries.
4. Hunt for SAM/NTDS Access: Query for reg.exe save operations against SAM/SECURITY/SYSTEM hives and ntdsutil/vssadmin shadow copy access.
5. Detect DCSync Activity: Monitor for DS-Replication-Get-Changes requests from non-domain-controller sources (Event ID 4662).
6. Correlate with Network Activity: Cross-reference credential dumping with subsequent lateral movement or authentication anomalies.
7. Assess Impact and Report: Determine which credentials were potentially exposed and recommend password resets and containment.

Key Concepts

Tools & Systems

Common Scenarios

1. Mimikatz LSASS Dump: Attacker runs sekurlsa::logonpasswords causing direct LSASS memory read with GrantedAccess 0x1010.
2. Comsvcs.dll MiniDump: Process uses rundll32.exe comsvcs.dll MiniDump [LSASS PID] to create LSASS memory dump file.
3. ProcDump LSASS: Attacker uses Microsoft-signed procdump.exe with -ma lsass.exe to dump LSASS memory.
4. SAM Registry Export: Adversary runs reg save HKLM\SAM sam.bak to extract local password hashes.
5. DCSync Replication: Compromised account with Replicating Directory Changes permissions performs DCSync from a workstation.
6. NTDS Shadow Copy: Attacker uses vssadmin create shadow /for=C: then copies ntds.dit from the shadow copy.

Output Format

Hunt ID: TH-CRED-DUMP-[DATE]-[SEQ]
Technique: T1003.[Sub-technique]
Source Process: [Process accessing LSASS/SAM/NTDS]
Target: [lsass.exe / SAM / NTDS.dit / DC Replication]
Host: [Hostname]
User: [Account context]
GrantedAccess: [Access mask if applicable]
Timestamp: [UTC]
Risk Level: [Critical/High/Medium/Low]
Evidence: [Log entries, process tree, network activity]
Recommended Action: [Password reset scope, containment steps]