Try in Splunk Security Cloud


This search detects the memory of lsass.exe being dumped for offline credential theft attack.

  • Type: TTP
  • Product: Splunk Behavioral Analytics
  • Datamodel:
  • Last Updated: 2020-09-15
  • Author: Jose Hernandez, Splunk
  • ID: 76bb9e35-f314-4c3d-a385-83c72a13ce4e


ID Technique Tactic
T1003.003 NTDS Credential Access
T1003 OS Credential Dumping Credential Access

| from read_ssa_enriched_events() 
| eval tenant=ucast(map_get(input_event, "_tenant"), "string", null), machine=ucast(map_get(input_event, "dest_device_id"), "string", null), process_name=lower(ucast(map_get(input_event, "process_name"), "string", null)), timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), process=lower(ucast(map_get(input_event, "process"), "string", null)), event_id=ucast(map_get(input_event, "event_id"), "string", null) 
| where process_name LIKE "%rundll32.exe%" AND match_regex(process, /(?i)comsvcs.dll[,\s]+MiniDump/)=true 
| eval start_time = timestamp, end_time = timestamp, entities = mvappend(machine), body=create_map(["event_id", event_id, "process_name", process_name, "process", process]) 
| into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting endpoint data that tracks process activity, including Windows command line logging. You can see how we test this with Event Code 4688 on the attack_range.

Required field

  • process_name
  • _tenant
  • _time
  • dest_device_id
  • process

Kill Chain Phase

  • Actions on Objectives

Known False Positives

None identified.


Risk Score Impact Confidence Message
70.0 70 100 Malicious actor is dumping encoded credentials via Microsoft's native comsvc DLL. Operation is performed at the device $dest_device_id$, by the account $dest_user_id$ via command $cmd_line$


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1