Staff

HUNTS- Credential Dumping (T1003)

HUNTS- Credential Dumping (T1003)

Version 1.0

ATT&CK Technique: Credential Dumping (T1003)

What this playbook hunts for:

Inter-process access to lsass.exe by a non-standard (non-Windows/non-whitelisted) process. Lsass.exe stores credentials in Windows hosts, making it a target for attackers and malicious software. In hosts running Windows 8 (excluding Windows 8.1) and below, dumping the lsass.exe process can result in the exposure of plain text credentials including passwords and hashes.

How the playbook works:

Generates SIEM query for Sysmon Event ID 10 logs where lsass.exe is the target process
Enriches query results with a subsequent Sysmon Event ID 1 query that captures detailed process information on the process accessing lsass.exe

What results are expected:

Common follow-on actions:

What inputs are necessary:

What subroutine playbooks are needed:

What configurations are needed:

Sysmon logging enabled with the following added to the configuration file under the SYSMON EVENT ID 10 section:
<ProcessAccess onmatch="include">

<TargetImage condition="is">C:\Windows\system32\lsass.exe</TargetImage>

</ProcessAccess>

False Positive Potential: Medium

Depending on the environment, many processes may legitimately need to access lsass.exe. It is highly recommended that the previously described Sysmon configuration be tested on a small group of systems before being deployed across the enterprise as a large number of events may be produced.
Process accesses that are determined to be false positives should be added to the “excluded” section of the Sysmon configuration to create a whitelist and reduce the number of events generated. Additional filtering can also be added to the initial SIEM query.

Sign up