Analyze Evidence of Credential Dumping Techniques

Actions

1. 1

   Check for LSASS memory access: look for processes reading lsass.exe memory via Event ID 4663, Sysmon Event ID 10 (ProcessAccess with TargetImage containing lsass.exe), and EDR alerts for credential access.

2. 2

   Check for SAM/SYSTEM/SECURITY hive copies: `reg save HKLM\SAM`, `reg save HKLM\SYSTEM`, or shadow copy access to these files.

3. 3

   Detect DCSync attacks: look for Directory Service Access events (Event ID 4662) with replication rights GUIDs from non-DC sources.

4. 4

   Identify Kerberoasting: Event ID 4769 with ticket encryption type 0x17 (RC4-HMAC) for service accounts, especially from non-standard sources.

5. 5

   Check for AS-REP roasting: Event ID 4768 without pre-authentication for accounts with "Do not require Kerberos preauthentication" set.

6. 6

   Detect LSASS credential dumping via comsvcs.dll (a common LOLBin technique): look for `rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <LSASS_PID> dump.bin full` in process creation logs. Also check for `procdump.exe -accepteula -ma lsass.exe` and `sqldumper.exe <LSASS_PID> 0 0x110` (SQL Server LOLBin for memory dumps).

7. 7

   Parse cached domain credentials from the SECURITY hive: attackers extract these from `SECURITY\Cache` (stores the last 10 domain logon hashes by default). Also check for LSA Secrets extraction from `SECURITY\Policy\Secrets` which stores service account passwords, auto-logon credentials, and VPN passwords in cleartext-recoverable form.

8. 8

   Hunt for Golden Ticket/Silver Ticket usage: look for Event ID 4769 with abnormally long ticket lifetimes (>10 hours), tickets requested for non-existent SPNs, or TGT requests (4768) from accounts that have not recently authenticated. Golden Tickets bypass normal KDC validation and allow forging any service ticket.

Queries

DeviceProcessEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where FileName in~ ("mimikatz.exe","procdump.exe","procdump64.exe","sqldumper.exe","rundll32.exe","comsvcs.dll") or ProcessCommandLine has_any ("sekurlsa","lsadump","kerberos::list","privilege::debug","comsvcs","MiniDump") | project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName

SecurityEvent | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where EventID == 4662 | where Properties has "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" or Properties has "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" | where SubjectUserName != "MACHINE_ACCOUNT$" | project TimeGenerated, SubjectUserName, ObjectName, Properties // DCSync detection

SecurityEvent | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where EventID == 4769 | where TicketEncryptionType == "0x17" | where ServiceName !endswith "$" | project TimeGenerated, TargetUserName, ServiceName, IpAddress, TicketEncryptionType // Kerberoasting detection

index=wineventlog sourcetype=WinEventLog:Security EventCode=4688 (New_Process_Name="*\mimikatz.exe" OR New_Process_Name="*\procdump.exe" OR New_Process_Name="*\procdump64.exe" OR Process_Command_Line="*sekurlsa*" OR Process_Command_Line="*lsadump*") | stats count by Account_Name, New_Process_Name, Process_Command_Line, ComputerName | sort -count

index=wineventlog sourcetype=WinEventLog:Security EventCode=4769 Ticket_Encryption_Type=0x17 Service_Name!="*$" | stats count by Account_Name, Service_Name, Client_Address, Ticket_Encryption_Type | sort -count

Notes

Where to Go Next

Related Resources