DET0234 Credential Dumping via Sensitive Memory and Registry Access Correlation
| Item |
Value |
| ID |
DET0234 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1003 (OS Credential Dumping)
Analytics
Windows
AN0648
Processes accessing LSASS memory or SAM registry hives outside of trusted security tools, often followed by file creation or lateral movement. Detects unauthorized access to sensitive OS subsystems for credential extraction.
Log Sources
Mutable Elements
| Field |
Description |
| AccessMask |
Set to detect full access rights (0x1F0FFF) or modify based on tool behavior. |
| TimeWindow |
Define how soon access to LSASS is followed by suspicious file or registry activity. |
| ParentProcessFilter |
Allowlist known security tools or system processes accessing LSASS. |
Linux
AN0649
Processes opening /proc//mem or /proc//maps targeting credential-storing services like sshd or login. Behavior often includes high privilege escalation and memory inspection tools such as gcore or gdb.
Log Sources
Mutable Elements
| Field |
Description |
| TargetProcessName |
Define sensitive targets (e.g., sshd, login) being memory-read. |
| ToolProcessName |
Flag use of memory dump tools like gcore, gdb, pmap. |
macOS
AN0650
Unsigned processes accessing system memory or launching known credential scraping tools (e.g., osascript, dylib injections) to access the Keychain or sensitive memory regions.
Log Sources
Mutable Elements
| Field |
Description |
| KeychainAccessPath |
Path to watch for abnormal access, e.g., /Library/Keychains/ |
| SignedBinaryStatus |
Filter out signed/trusted binaries. |