EXPLORE
Sign In
← Back to Explore
crowdstrike_cqlHunting

Credential Dumping Detection

This query detects potential credential dumping activities by monitoring process access to LSASS and suspicious memory operations. This query uses CrowdStrike Query Language (CQL) to detect credential dumping activities: 1. **Process Monitoring**: `#event_simpleName=ProcessRollup2` - Monitors process execution events across endpoints 2. **Suspicious Indicators**: `(CommandLine=/mimikatz|procdump|lsass|sekurlsa/i OR ImageFileName=/\\(mimikatz|procdump|pwdump)\.exe$/i)` - Detects known credential dumping tools and LSASS access patterns 3. **Parent Process Filter**: `ParentImageFileName!=/\\(powershell|cmd)\.exe$/i` - Excludes common legitimate parent processes to reduce noise 4. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Adds user account information for attribution 5. **Process Hash**: `join({#event_simpleName=SyntheticProcessRollup2}, field=[aid, RawProcessId], include=[SHA256HashData], suffix="Parent")` - Includes file hash for threat intelligence correlation 6. **Output**: `table([aid, UserName, ImageFileName, CommandLine, ParentImageFileName, SHA256HashData])` - Displays process details, user context, and file hash information

MITRE ATT&CK

T1003.001T1003.002T1558.003
credential-access

Detection Query

#event_simpleName=ProcessRollup2 
| (CommandLine=/mimikatz|procdump|lsass|sekurlsa/i OR ImageFileName=/\\(mimikatz|procdump|pwdump)\.exe$/i)
| ParentImageFileName!=/\\(powershell|cmd)\.exe$/i
| join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])
| join({#event_simpleName=SyntheticProcessRollup2}, field=[aid, RawProcessId], include=[SHA256HashData], suffix="Parent")
| table([aid, UserName, ImageFileName, CommandLine, ParentImageFileName, SHA256HashData])

Author

ByteRay GmbH

Data Sources

Endpoint

Platforms

windowslinux

Tags

Huntingcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Credential Dumping Detection

# MITRE ATT&CK technique IDs
mitre_ids:
  - T1003.001
  - T1003.002
  - T1558.003

# Description of what the query does and its purpose.
description: This query detects potential credential dumping activities by monitoring process access to LSASS and suspicious memory operations.

# The author or team that created the query.
author: ByteRay GmbH

# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
  - Endpoint

# Tags for filtering and categorization.
tags:
  - Hunting

cs_required_modules: 
  - Insight

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  #event_simpleName=ProcessRollup2 
  | (CommandLine=/mimikatz|procdump|lsass|sekurlsa/i OR ImageFileName=/\\(mimikatz|procdump|pwdump)\.exe$/i)
  | ParentImageFileName!=/\\(powershell|cmd)\.exe$/i
  | join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])
  | join({#event_simpleName=SyntheticProcessRollup2}, field=[aid, RawProcessId], include=[SHA256HashData], suffix="Parent")
  | table([aid, UserName, ImageFileName, CommandLine, ParentImageFileName, SHA256HashData])

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  This query uses CrowdStrike Query Language (CQL) to detect credential dumping activities:

  1. **Process Monitoring**: `#event_simpleName=ProcessRollup2`
     - Monitors process execution events across endpoints

  2. **Suspicious Indicators**: `(CommandLine=/mimikatz|procdump|lsass|sekurlsa/i OR ImageFileName=/\\(mimikatz|procdump|pwdump)\.exe$/i)`
     - Detects known credential dumping tools and LSASS access patterns

  3. **Parent Process Filter**: `ParentImageFileName!=/\\(powershell|cmd)\.exe$/i`
     - Excludes common legitimate parent processes to reduce noise

  4. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])`
     - Adds user account information for attribution

  5. **Process Hash**: `join({#event_simpleName=SyntheticProcessRollup2}, field=[aid, RawProcessId], include=[SHA256HashData], suffix="Parent")`
     - Includes file hash for threat intelligence correlation

  6. **Output**: `table([aid, UserName, ImageFileName, CommandLine, ParentImageFileName, SHA256HashData])`
     - Displays process details, user context, and file hash information