In the shadowy depths of your network, whispers grow louder — something isn’t right. Adversaries are on the prowl, targeting the very keys to your kingdom: your credentials. T1003 – OS Credential Dumping is their weapon of choice to steal password hashes and sensitive authentication materials. They quietly harvest secrets to impersonate users, escalate privileges, and move laterally through your environment.
Protecting credentials is critical to maintaining the confidentiality, integrity, and availability of your systems. The challenge is to uncover signs of OS Credential Dumping and assess whether an adversary has attempted to harvest sensitive authentication data — or confirm that your defenses are holding strong.
This hunt matters because once credentials are stolen, the door to your infrastructure is left wide open. It’s time to arm yourself, dig into the logs, and expose their movements. The hunt for OS Credential Dumping begins now. Can you track the adversaries lurking within your systems and unmask their tricks? Let’s sharpen our tools and find out!
Understanding the technique
T1003 – OS Credential Dumping is a technique within the MITRE ATT&CK® framework that adversaries use to obtain credentials stored in operating systems. By extracting password hashes, plaintext passwords, or authentication tokens, attackers gain the ability to impersonate legitimate users, escalate privileges, and move laterally across your environment. The technique is categorized under the Credential Access tactic, as it directly targets sensitive credentials to advance an attack.
T1003 includes several dangerous sub-techniques that highlight the diverse ways adversaries can dump credentials:
If left undetected, OS Credential Dumping can lead to catastrophic consequences. Attackers who gain access to credentials can bypass authentication mechanisms, impersonate privileged users, and maintain Persistence throughout your network. This compromises confidentiality as sensitive accounts and systems are exposed, disrupts integrity by allowing unauthorized access, and jeopardizes availability as attackers escalate privileges to disable critical systems.
In the broader MITRE ATT&CK framework, T1003 is a gateway for attackers to pivot from Credential Access to other phases of an attack, such as Lateral Movement, Persistence, and even Impact. Failing to detect and mitigate this technique can allow adversaries to establish control over your environment, leading to data theft, ransomware deployment, or complete system compromise.
Understanding the significance of T1003 is paramount — hunting for this activity ensures you can protect the keys to your kingdom before attackers use them against you.
Data sources to optimize the hunt
Detecting OS Credential Dumping (T1003) requires leveraging a combination of logs, monitoring tools, and data sources that provide visibility into process execution, file access, registry manipulation, and memory interactions. Below is a breakdown of essential data sources and what they detect, a as well as recommended Elastic integrations to optimize the hunt:
1. Process monitoring
-
Detects: Processes interacting with LSASS memory (lsass.exe), tools like Mimikatz, and suspicious process creation events
-
Relevance: Critical for detecting tools or scripts attempting to dump credentials in memory
-
Elastic integration: Use Elastic Endpoint Security, Windows Integration, or another Elastic integration that collects logging information from a third party to monitor process creation events, command-line arguments, and anomalous behavior.
2. Windows event logs (security and system)
-
Detects: Unauthorized access to registry hives (SAM, SECURITY), system files (ntds.dit), and cached credentials; also flags Privilege Escalation attempts
-
Relevance: Provides insights into adversary access to sensitive files and resources
-
Elastic integration: Use Windows Integration or another Elastic integration that collects logging information from a third party for to capture relevant Security Event IDs such as: Event ID 4663: Object Access (File or Registry), Event ID 4688: Process Creation, Event ID 4656: Handle Requested for Object Access.
3. File access logs
-
Detects: Attempts to access sensitive files like:
-
C:\\Windows\\System32\\config\\SAM stores local user account password hashes for authentication
-
C:\\Windows\\System32\\config\\SECURITY contains system security policies, including local security authority (LSA) secrets
-
NTDS.dit for Active Directory credential dumping
-
-
Relevance: Helps detect unauthorized attempts to copy or dump system files
-
Elastic integration: Use File Integrity Monitoring or another Elastic integration that collects logging information from a third party for file integrity monitoring and file access tracking.
4. Registry monitoring
-
Detects: Adversaries accessing or exporting registry hives, such as SAM, SECURITY, or SYSTEM, to retrieve credential data
-
Relevance: Monitors manipulation of critical registry keys and hive exports using commands like reg save
-
Elastic integration: Use Elastic Endpoint Security or another Elastic integration that collects logging information from a third party to detect suspicious changes or access.
5. Memory forensics
-
Detects: Tools accessing LSASS memory (e.g., Mimikatz) to extract credentials
-
Relevance: Identifies in-memory attacks that bypass file-based detection mechanisms
-
Elastic integration: Use Elastic Endpoint Security or tools like Volatility to analyze memory dumps for credential access.
6. Command execution logs
-
Detects: Suspicious commands used to dump credentials, such as:
-
reg save exports registry hives, including SAM and SECURITY, which store credential and security policy data
-
vssadmin creates a Volume Shadow Copy, often used to access locked system files like NTDS.dit
-
lsass.exe dumps using tools like procdump.exe
-
-
Relevance: Critical for identifying commands or scripts used to trigger credential dumping activities
-
Elastic integration: Use Elastic Endpoint Security or another Elastic integration that collects logging information from a third party to monitor command-line executions and log PowerShell events.
7. Audit logs for Active Directory
-
Detects: Access to the NTDS.dit file or abnormal replication activity (DCSync attacks)
-
Relevance: Protects domain credentials by monitoring access to key AD data
-
Elastic integration: Use Elastic Endpoint Security or another Elastic integration that collects logging information from a third party for Active Directory logs.
8. Linux audit logs
-
Detects: Attempts to access /proc/mem, /etc/passwd, or /etc/shadow files on Linux systems
-
Relevance: Monitors credential dumping attempts on Unix-based systems
-
Elastic integration: Use Elastic Endpoint Security, File Integrity Monitoring, or another Elastic integration that collects logging information from a third party with File Integrity Monitoring to track access to these sensitive files.
Threat hunting with ES|QL queries
Let’s use ES|QL queries to track down Credential Dumping activities, as we can query and analyze large volumes of security data within Elasticsearch. ES|QL enables analysts to write intuitively, correlate events, and uncover anomalies associated with techniques like OS Credential Dumping. By leveraging ES|QL’s powerful filtering, aggregation, and transformation capabilities, SOC teams can quickly pinpoint suspicious process activities, anomalous file access patterns, or unauthorized registry changes. This approach simplifies complex hunting tasks, making it easier to detect, investigate, and respond to potential threats in real time while leveraging the flexibility and speed of the Elastic Stack.
Query 1: Detect processes accessing LSASS memory (T1003.001)
FROM logs-*
| WHERE TO_LOWER(process.name) == "lsass.exe"
AND TO_LOWER(process.parent.name) IN ("procdump.exe", "mimikatz.exe", "powershell.exe")
| KEEP process.name, process.parent.name, process.command_line, user.name, host.name, @timestamp
Explanation: This query identifies processes interacting with lsass.exe, a common target for credential dumping tools like Mimikatz or Procdump. Accessing LSASS memory is a key indicator of T1003.001.
Query 2: Monitor registry hive exports (T1003.002)
FROM logs-*
| WHERE process.command_line LIKE "*reg save*"
AND (process.command_line LIKE "*\\\\sam*"
OR process.command_line LIKE "*\\\\security*"
OR process.command_line LIKE "*\\\\system*")
| KEEP process.command_line, user.name, host.name, @timestamp
Explanation: This query flags the use of the reg save command, which adversaries use to export the SAM, SECURITY, and SYSTEM registry hives. These files contain credential information.
Query 3: Detect NTDS.dit access for Active Directory dumping (T1003.003)
FROM logs-*
| WHERE TO_LOWER(file.path) LIKE "*\\\\ntds.dit"
AND TO_LOWER(event.action) == "access"
| KEEP file.path, user.name, host.name, @timestamp
Explanation: Adversaries dump the ntds.dit file to retrieve domain credentials. This query detects unauthorized access attempts to the NTDS file in Active Directory environments.
Query 4: Detect suspicious DCSync behavior (T1003.006)
FROM logs-*
| WHERE event.action == "replication"
AND user.name != "domain_admin"
| KEEP event.action, user.name, host.name, @timestamp
Explanation: The DCSync attack allows an adversary to impersonate a domain controller and retrieve credentials. This query looks for abnormal replication requests from non-admin accounts.
Query 5: Monitor access to /etc/passwd and /etc/shadow (T1003.008)
FROM logs-*
| WHERE file.path IN ("/etc/passwd", "/etc/shadow") AND event.action == "read"
| KEEP file.path, user.name, host.name, @timestamp
Explanation: On Unix-based systems, attackers dump /etc/passwd and /etc/shadow files to obtain user account information and password hashes. This query detects unauthorized read access.
Query 6: Identify cached domain credential dumps (T1003.005)
FROM logs-*
| WHERE process.command_line LIKE "*reg.exe*"
OR process.command_line LIKE "*HKLM\\\\SECURITY*"
| KEEP process.command_line, user.name, host.name, @timestamp
Explanation: Cached domain credentials are often stored in the SECURITY hive. This query detects attempts to dump cached credentials using registry commands.
Query 7: Detect Mimikatz execution in command-line
FROM logs-*
| WHERE process.command_line LIKE "*mimikatz*"
| KEEP process.name, process.command_line, user.name, host.name, @timestamp
Explanation: Mimikatz is a popular tool for credential dumping. This query flags direct invocations of Mimikatz or similar tools in the command line.
Query 8: Identify suspicious use of Procdump for LSASS dumping
FROM logs-*
| WHERE process.command_line LIKE "*procdump*"
AND process.command_line LIKE "*lsass*"
| KEEP process.command_line, user.name, host.name, @timestamp
Explanation: Procdump is sometimes used to dump LSASS memory. This query detects any use of Procdump targeting LSASS.
Query 9: Detect unusual file access on SAM registry hive
FROM logs-*
| WHERE file.path LIKE "C:\\\\Windows\\\\System32\\\\config\\\\SAM"
AND event.action IN ("read", "access", "open")
| KEEP file.path, user.name, process.name, host.name, @timestamp
Explanation: This query detects command-line activity indicative of Credential Dumping or data extraction.The SAM registry hive contains hashed credentials. This query detects any unauthorized attempts to read or access the file.
Query 10: Monitor volume shadow copy usage
FROM logs-*
| WHERE TO_LOWER(process.command_line) LIKE "*vssadmin*"
AND TO_LOWER(process.command_line) LIKE "*create shadow*"
| KEEP process.command_line, user.name, host.name, @timestamp
Explanation: Adversaries create shadow copies to bypass file locks and access sensitive files like ntds.dit. This query monitors the creation of shadow copies.
Query 11: Detect tools accessing /proc/mem for credential dumps
FROM logs-*
| WHERE TO_LOWER(file.path) LIKE "/proc/*"
AND TO_LOWER(process.name) IN ("gcore", "dd", "cat")
| KEEP file.path, process.name, user.name, host.name, @timestamp
Explanation: On Linux, adversaries can dump process memory via the /proc filesystem. This query identifies suspicious tools accessing /proc paths.
Query 12: Detect large NTDS.dit file transfers
FROM logs-*
| WHERE network.protocol == "smb"
AND file.name LIKE "ntds.dit*"
| KEEP file.name, source.ip, destination.ip, @timestamp
Explanation: This query detects large SMB file transfers involving ntds.dit , indicating possible exfiltration of Active Directory credentials.
Query 13: Monitor PowerShell scripts targeting LSASS
FROM logs-*
| WHERE process.command_line LIKE "*powershell*"
AND process.command_line LIKE "*lsass*"
| KEEP process.command_line, user.name, host.name, @timestamp
Explanation: Adversaries often use PowerShell scripts to dump LSASS memory. This query detects PowerShell commands targeting LSASS.
Query 14: Detect attempts to copy sensitive registry hives
FROM logs-*
| WHERE (file.path LIKE "*\\\\SYSTEM"
OR file.path LIKE "*\\\\SECURITY"
OR file.path LIKE "*\\\\SAM")
AND event.action == "copy"
| KEEP file.path, user.name, host.name, @timestamp
Explanation: Attackers copy registry hives to extract credentials offline. This query detects such attempts.
Query 15: Identify new tools writing to sensitive credential files
FROM logs-*
| WHERE (file.path == "/etc/shadow"
OR file.path LIKE "*\\\\SAM"
OR file.path LIKE "*\\\\SECURITY")
AND event.action == "write"
| KEEP file.path, user.name, process.name, host.name, @timestamp
Explanation: This query monitors write operations to critical files like /etc/shadow or SAM, which may indicate tampering or malicious credential extraction attempts.
Hunt efficiently
The whispers in your network have grown silent, but what did you uncover? Were you able to catch the adversary red-handed, dumping credentials from LSASS memory or exfiltrating the NTDS.dit file under the cover of darkness? Perhaps you followed the trails of registry exports, shadow copies, or suspicious processes trying to claim your keys to the kingdom. Whether you proved the adversary’s activity or validated your defenses, you have strengthened your security posture and sharpened your detection capabilities.
Remember, OS Credential Dumping (T1003) is relied upon for escalating privileges, impersonating users, and traversing your environment like a ghost in the machine. The hunt for stolen credentials is a critical effort that can expose silent intruders before they wreak havoc. By monitoring LSASS access, registry hives, and file activity, you have not only thwarted today’s threats but also prepared for tomorrow’s battles.
So, did you uncover the adversary, or can you confidently prove they weren’t there? Either way, your network is now safer, your defenses stronger, and your tools sharper. But stay vigilant — credential dumping remains a relentless adversarial technique, and the hunt is never truly over.
To elevate your threat hunting capabilities, check out the Elastic Security Labs Threat Hunting package. Stay ahead of adversaries with advanced detection strategies and keep refining your skills.
Keep hunting, and always stay one step ahead.
The release and timing of any features or functionality described in this post remain at Elastic’s sole discretion. Any features or functionality not currently available may not be delivered on time or at all.
Leave a Reply