Which Windows events are necessary for this skill?

This skill primarily utilizes Sysmon Event ID 10 (ProcessAccess) for monitoring LSASS and Windows Event ID 4688 (Process Creation) for command-line auditing.

Does this skill work with Splunk and Elastic?

Yes, it provides structured procedures and logic that can be used to generate detection queries for both Splunk and Elastic SIEM platforms.

What is credential dumping in cybersecurity?

Credential dumping is a post-exploitation technique where attackers extract passwords or hashes from OS memory (like LSASS), registry hives (SAM), or domain controller databases (NTDS.dit).

Can it detect Mimikatz activity?

Yes, it is specifically designed to detect the underlying techniques used by tools like Mimikatz, such as suspicious LSASS memory access patterns.

Credential Dumping Threat Detection

Name: Credential Dumping Threat Detection
Author: micsapp

bymicsapp

0•

セキュリティとテスト

Detects unauthorized credential extraction techniques like LSASS memory dumping and SAM database theft using Sysmon and SIEM logs.

This skill provides expert guidance for cybersecurity professionals to identify and alert on credential dumping activities (MITRE ATT&CK T1003). It specializes in detecting LSASS memory access via Sysmon Event ID 10, SAM registry hive exports, and NTDS.dit theft via ntdsutil or vssadmin. By analyzing GrantedAccess bitmasks and suspicious process behaviors like comsvcs.dll abuse, it helps SOC analysts and threat hunters build robust detection rules and automate incident analysis within Splunk or Elastic SIEM environments.

主な機能

01Detection of LSASS memory access using Sysmon Event ID 10

02Identification of NTDS.dit theft via shadow copy and ntdsutil

030 GitHub stars

04Analysis of GrantedAccess bitmasks for tool signature identification

05Monitoring for SAM, SECURITY, and SYSTEM registry hive exports

06Automated SIEM query generation for Splunk and Elastic

ユースケース

01Investigating compromised endpoints for evidence of credential theft

02Developing and validating SIEM detection rules for security operations

03Threat hunting for post-exploitation lateral movement indicators

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills detecting-credential-dumping-techniques

For use in Claude.ai and ChatGPT

主な機能

01Detection of LSASS memory access using Sysmon Event ID 10

02Identification of NTDS.dit theft via shadow copy and ntdsutil

030 GitHub stars

04Analysis of GrantedAccess bitmasks for tool signature identification

05Monitoring for SAM, SECURITY, and SYSTEM registry hive exports

06Automated SIEM query generation for Splunk and Elastic

ユースケース

01Investigating compromised endpoints for evidence of credential theft

02Developing and validating SIEM detection rules for security operations

03Threat hunting for post-exploitation lateral movement indicators

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills detecting-credential-dumping-techniques

For use in Claude.ai and ChatGPT