Try in Splunk Security Cloud


Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. FGdump is a newer version of pwdump tool that extracts NTLM and LanMan password hashes from Windows. Cachedump is a publicly-available tool that extracts cached password hashes from a system's registry.

  • Type: TTP
  • Product: Splunk Behavioral Analytics
  • Datamodel:
  • Last Updated: 2020-10-18
  • Author: Stanislav Miskovic, Splunk
  • ID: 312582f2-5e91-42c1-a275-cd67f31373c8


ID Technique Tactic
T1003 OS Credential Dumping Credential Access
| from read_ssa_enriched_events()

| eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null), process_name=ucast(map_get(input_event, "process_name"), "string", null), process_path=ucast(map_get(input_event, "process_path"), "string", null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", null), event_id=ucast(map_get(input_event, "event_id"), "string", null) 
| where cmd_line != null AND process_name != null AND parent_process_name != null AND match_regex(parent_process_name, /(?i)System32\\services.exe/)=true AND match_regex(process_name, /(?i)cachedump\d{0,2}.exe/)=true AND match_regex(process_path, /(?i)\\Temp/)=true AND match_regex(cmd_line, /(?i)\-s/)=true

| eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name", process_name, "parent_process_name", parent_process_name]) 
| into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • process_name
  • parent_process_name
  • _time
  • process_path
  • dest_user_id
  • process

Kill Chain Phase

  • Actions on Objectives

Known False Positives

None identified.


Risk Score Impact Confidence Message
70.0 70 100 Malicious actor is accessing stored credentials via FGDump or CacheDump tools. Operation is performed at the device $dest_device_id$, by the account $dest_user_id$ via command $cmd_line$


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1