1. Home
  2. Detection Strategies
  3. Credential Dumping via Sensitive Memory and Registry Access Correlation

Credential Dumping via Sensitive Memory and Registry Access Correlation

Technique Detected:  OS Credential Dumping | T1003

ID: DET0234
Domains: Enterprise
Analytics: AN0648, AN0649, AN0650
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0648

Processes accessing LSASS memory or SAM registry hives outside of trusted security tools, often followed by file creation or lateral movement. Detects unauthorized access to sensitive OS subsystems for credential extraction.

Log Sources
Data Component Name Channel
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Access (DC0055) WinEventLog:Security EventCode=4663
Active Directory Object Access (DC0071) WinEventLog:Security EventCode=4662
Mutable Elements
Field Description
AccessMask Set to detect full access rights (0x1F0FFF) or modify based on tool behavior.
TimeWindow Define how soon access to LSASS is followed by suspicious file or registry activity.
ParentProcessFilter Allowlist known security tools or system processes accessing LSASS.

AN0649

Processes opening /proc//mem or /proc//maps targeting credential-storing services like sshd or login. Behavior often includes high privilege escalation and memory inspection tools such as gcore or gdb.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL open
Process Access (DC0035) auditd:SYSCALL ptrace
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
TargetProcessName Define sensitive targets (e.g., sshd, login) being memory-read.
ToolProcessName Flag use of memory dump tools like gcore, gdb, pmap.

AN0650

Unsigned processes accessing system memory or launching known credential scraping tools (e.g., osascript, dylib injections) to access the Keychain or sensitive memory regions.

Log Sources
Data Component Name Channel
Process Metadata (DC0034) macos:unifiedlog Code Execution & Entitlement Access
File Access (DC0055) macos:keychain Access to Keychain DB or system.keychain
Process Creation (DC0032) macos:osquery Invocation of osascript or dylib injection
Mutable Elements
Field Description
KeychainAccessPath Path to watch for abnormal access, e.g., /Library/Keychains/
SignedBinaryStatus Filter out signed/trusted binaries.