OS Credential Dumping (T1003) is a MITRE ATT&CK technique in the Credential Access tactic. SOC analysts detect it by monitoring for XDR, SIEM events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, and structures. Credentials can then be used to perform lateral movement and access restricted information. On Windows systems, the LSASS process stores credentials for logged-on users in memory, making it a prime target for credential dumping tools like Mimikatz. The Security Account Manager (SAM) database and Domain Controller NTDS.dit file contain password hashes for local and domain accounts respectively. Linux systems cache credentials in /etc/shadow and in memory via pluggable authentication module structures. Credential dumping is a critical capability for attackers because it allows them to move laterally using legitimate credentials, bypassing network segmentation and other controls that rely on authentication.
“OS Credential Dumping is documented as technique T1003 in the MITRE ATT&CK knowledge base under the Credential Access tactic. Detection requires visibility into XDR, SIEM telemetry.”
The following detection strategies help SOC analysts identify OS Credential Dumping activity. These methods apply across XDR, SIEM environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor for process memory access to lsass.exe from unusual processes using Windows APIs like OpenProcess with PROCESS_VM_READ access rights, which is the primary method used by Mimikatz and similar tools.
Alert on the creation of LSASS memory dumps using tools like procdump, comsvcs.dll MiniDump, or direct volume shadow copy access to the NTDS.dit file on domain controllers.
Detect attempts to access the SAM registry hive directly using reg save commands or shadow copy techniques that bypass file locking on the SAM database file.
Monitor for execution of known credential dumping tools by file name, hash, and behavioral signature, including Mimikatz, LaZagne, Dumpert, and their renamed or recompiled variants.
Alert on unusual access patterns to /etc/shadow on Linux systems, LSASS process creation with non-standard parent processes, and DCSync replication requests from non-domain controller machines.
These realistic alert examples show what OS Credential Dumping looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
Process "c:\users\temp\update.exe" attempted to open LSASS.exe memory with PROCESS_VM_READ and PROCESS_QUERY_INFORMATION access flags. This behavior is characteristic of credential dumping tools attempting to extract cached credentials from the Windows LSASS process. The accessing process has no legitimate reason to read LSASS memory and matches behavioral signatures of Mimikatz.
Vssadmin created a new volume shadow copy on domain controller DC-PRIMARY, followed immediately by ntdsutil.exe execution to access the NTDS.dit file from the shadow copy. This technique is used to extract the Active Directory database containing all domain account hashes without directly accessing the locked live database file.
Active Directory replication request detected from workstation WS-HR-014 using MS-DRSR protocol. Workstations should never initiate domain controller replication. The request used the credentials of a recently compromised domain admin account to request all user account hashes from the domain controller, consistent with a DCSync attack using Mimikatz or Impacket secretsdump.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including OS Credential Dumping. Build detection skills with zero consequences — free forever.
A brute force attack systematically tries large numbers of username and password combinations, or decryption keys, until…
Read more GlossaryMulti-Factor Authentication (MFA) requires users to provide two or more independent verification factors (something you …
Read more GlossaryLateral movement is the attack phase where adversaries expand access from an initial foothold to additional systems, usi…
Read more GlossarySecurity Information and Event Management (SIEM) is a platform that aggregates, normalizes, and correlates log data from…
Read more Career PathTier 1 SOC Analysts are the front line. You monitor alert queues, triage incoming detections, classify them as true or f…
Read more Career PathIncident Responders lead the technical response when confirmed breaches happen. You coordinate containment, run forensic…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more PlaybookWhen alerts indicate unusual internal connections, RDP to servers from workstations, PsExec executions, or SMB access to…
Read more PlaybookWhen SIEM detects an unusual volume of Kerberos TGS ticket requests (Event ID 4769) with RC4 encryption from a single ac…
Read moreWe use cookies to improve your experience and measure usage. Learn more