detecting-credential-dumping-techniques

by mukul975

The detecting-credential-dumping-techniques skill helps you detect LSASS access, SAM export, NTDS.dit theft, and comsvcs.dll MiniDump abuse using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules. It is built for threat hunting, detection engineering, and Security Audit workflows.

Stars0

Favorites0

Comments0

AddedMay 9, 2026

CategorySecurity Audit

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-credential-dumping-techniques

Curation Score

This skill scores 84/100, which means it is a solid directory listing candidate for users doing Windows threat detection work. The repository gives enough concrete workflow content to justify installation, and users should expect a focused, operational skill rather than a generic prompt.

84/100

Strengths

Specific trigger and scope: detects LSASS access, SAM export, NTDS.dit theft, and comsvcs.dll MiniDump abuse using Sysmon and Windows Security logs.
Operational support is real: includes a scripts/agent.py analyzer plus a reference file with event fields, suspicious GrantedAccess values, and example SPL queries.
Good install decision signal: valid frontmatter, no placeholder markers, and clear cybersecurity/threat-detection metadata.

Cautions

The excerpt shows prerequisites but no install command in SKILL.md, so onboarding may require manual setup or external wiring.
Evidence for workflow is stronger than for progressive disclosure; users may still need to adapt rules and queries to their own SIEM and logging baseline.

Cybersecurity Windows Security Active Directory Sysmon Mimikatz

Overview

Overview of detecting-credential-dumping-techniques skill

The detecting-credential-dumping-techniques skill helps you build or validate detections for credential dumping activity such as LSASS access, SAM hive export, NTDS.dit theft, and common dump methods like comsvcs.dll MiniDump abuse. It is most useful for SOC analysts, threat hunters, detection engineers, and anyone doing a detecting-credential-dumping-techniques for Security Audit who needs a practical way to turn Windows telemetry into usable alerts.

What users usually care about is not the attack theory, but whether the skill can quickly distinguish suspicious access from normal admin activity. This skill is centered on Windows event evidence, especially Sysmon Event ID 10, process creation logs, and SIEM correlation logic. That makes it a better fit than a generic prompt when you need concrete detection logic, not just a summary of ATT&CK T1003.

What this skill is best for

Use detecting-credential-dumping-techniques when you need structured guidance for:

LSASS memory access detection
Registry hive export detection
NTDS.dit collection paths on domain controllers
Querying telemetry with Sysmon and Windows Security logs
Translating suspicious command lines into hunt rules or alerts

What it needs to work well

The skill assumes you have telemetry, not just an incident description. Strong input usually includes:

Which logs are available: Sysmon, Security 4688, EDR, SIEM
The environment: workstation, server, or domain controller
Any known process names, hashes, or command lines
The target platform: Splunk, Elastic, Sentinel, or raw event logs

Main differentiators

The detecting-credential-dumping-techniques skill is useful because it focuses on observable indicators, not just narrative explanation. Its strongest value is the combination of:

LSASS GrantedAccess patterns
Suspicious parent/child and command-line patterns
Coverage for multiple dumping paths, not only Mimikatz
Detection-oriented output that can feed a SOC workflow

How to Use detecting-credential-dumping-techniques skill

Install and read the right files first

To install the detecting-credential-dumping-techniques skill, use the repository path directly in your skills manager, then read the skill entry point first:
skills/detecting-credential-dumping-techniques/SKILL.md

After that, check:

references/api-reference.md for fields, patterns, and example queries
scripts/agent.py for the detection logic the skill likely expects you to mirror or adapt
SKILL.es.md only if you need a translated version or want to compare scope

Turn a rough goal into a usable prompt

The skill works best when your request names the exact detection job. For example, instead of asking for “credential dumping help,” ask for:

“Create a hunt for LSASS access using Sysmon Event ID 10 in Splunk”
“Review this Windows command line for SAM export indicators”
“Map this NTDS.dit collection activity to detection rules”
“Build a security audit checklist for credential dumping telemetry coverage”

That level of detail helps the detecting-credential-dumping-techniques usage because the skill can align log source, query language, and tactic.

Practical workflow that gets better output

A strong detecting-credential-dumping-techniques guide workflow is:

Identify the telemetry you already collect.
Paste one or two representative events or command lines.
State the SIEM or rule format you need.
Ask for both detections and known false-positive sources.
Request tuning guidance for your environment.

For example, a good prompt might be: “I have Sysmon Event ID 10 and Security 4688 in Splunk. Build a detection for suspicious LSASS access, exclude common Windows processes, and explain which GrantedAccess values matter most.”

Inputs that materially improve results

The skill can only be as precise as your telemetry. Include:

Exact GrantedAccess values
SourceImage, TargetImage, and CallTrace when available
The suspected technique: LSASS dump, SAM export, NTDS.dit theft, or MiniDump
Whether this is endpoint, server, or domain controller monitoring

If you do not have these details, the output will be broader and less actionable.

detecting-credential-dumping-techniques skill FAQ

Is this skill only for advanced detection engineers?

No. The detecting-credential-dumping-techniques skill is useful for beginners who need a guided starting point, but the best results come from users who can provide log samples or an environment description. Without telemetry, it becomes more of a conceptual guide than an implementation tool.

How is this different from a normal prompt?

A normal prompt often produces generic advice about credential dumping. This skill is designed to push toward specific detection artifacts: event IDs, command-line patterns, suspicious access masks, and correlation logic. That makes the detecting-credential-dumping-techniques install decision worthwhile if you need repeatable output for a SOC or audit workflow.

Can I use it without Sysmon?

You can, but the value drops. The repository is strongest when Sysmon Event ID 10 and process creation logs are available. If you only have partial Windows logging, the skill can still help, but you should expect narrower detections and more tuning.

When should I not use this skill?

Do not use it if you only need a high-level explanation of credential dumping with no detection work, or if your environment is mostly non-Windows and lacks the relevant telemetry. It is also a poor fit if you want exploit guidance rather than defensive monitoring.

How to Improve detecting-credential-dumping-techniques skill

Give the skill your actual log shape

The fastest way to improve output is to provide the same fields your SIEM stores. For detecting-credential-dumping-techniques, that usually means event IDs, command lines, process names, and access masks. A vague request like “detect bad activity” produces generic rules; a specific request like “flag SourceImage values accessing lsass.exe with 0x1010 or 0x1FFFFF” produces better results.

Ask for tuning, not just detection

The best detecting-credential-dumping-techniques usage includes noise reduction. Ask for:

known benign processes to exclude
domain controller-specific exceptions
endpoint admin tooling that might resemble dumping
separate logic for hunt vs alert severity

That helps avoid over-alerting on tools like backup agents, EDR components, or legitimate admin utilities.

Use iteration to narrow the detection

Start broad, then tighten. A practical sequence is:

Ask for a baseline rule.
Review what it catches in your environment.
Feed back false positives and missed cases.
Request a tuned version for your SIEM.

This is especially important for detecting-credential-dumping-techniques for Security Audit work, where you need coverage evidence, not just a one-off query.

Watch for the common failure modes

The main failure modes are missing telemetry, over-reliance on process names, and ignoring context such as host role or user privilege. The detecting-credential-dumping-techniques skill works best when you treat command lines and access masks as indicators that must be interpreted with environment context, not as proof by themselves.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

security-threat-model

by openai

Repository-grounded security-threat-model skill for AppSec threat modeling. It maps trust boundaries, assets, attacker goals, abuse paths, and mitigations into a concise Markdown threat model. Use it when you need security-threat-model for Threat Modeling on a specific repo or path, not a generic architecture review or code check.

Threat Modeling

Favorites 0GitHub 0

solana-vulnerability-scanner

by trailofbits

solana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.

Security Audit

Favorites 0GitHub 4.9k

azure-ai-contentsafety-ts

by microsoft

azure-ai-contentsafety-ts helps analyze text and images for harmful content with Azure AI Content Safety in TypeScript. Use this skill for moderation workflows, blocklists, and security audit checks for hate, violence, sexual content, and self-harm. It also covers Azure endpoint and auth setup.

Security Audit

Favorites 0GitHub 2.3k

sharp-edges

by trailofbits

The sharp-edges skill helps you find APIs, configs, and interfaces where the easy path leads to insecure use. Use it to review authentication flows, cryptographic wrappers, dangerous defaults, null or zero semantics, and misuse-prone design choices. It is a strong fit for sharp-edges for Security Audit work when you need concrete footguns, not generic security guesses.

Security Audit

Favorites 0GitHub 5k

security-review

by affaan-m

Use the security-review skill to review auth, user input, secrets, APIs, payments, uploads, and other sensitive flows. It provides a practical security-review guide with clear pass/fail checks, risky-pattern examples, and a focused process for catching common issues before release.

Security Audit

Favorites 0GitHub 156.3k

django-security

by affaan-m

django-security is a practical guide for hardening Django apps with authentication, authorization, CSRF, XSS, SQL injection prevention, secure cookies, and production settings. It helps developers and reviewers run a focused Security Audit, quickly spot risky config, and apply concrete fixes before deployment.

Security Audit

Favorites 0GitHub 156.1k

exploiting-insecure-data-storage-in-mobile

by mukul975

The exploiting-insecure-data-storage-in-mobile skill helps assess and extract evidence from insecure local storage in Android and iOS apps. It covers SharedPreferences, SQLite databases, plist files, world-readable files, backup exposure, and weak keychain/keystore handling for mobile pentesting and Security Audit workflows.

Security Audit

Favorites 0GitHub 6.2k

detecting-s3-data-exfiltration-attempts

by mukul975

detecting-s3-data-exfiltration-attempts helps investigate possible AWS S3 data theft by correlating CloudTrail S3 data events, GuardDuty findings, Amazon Macie alerts, and S3 access patterns. Use this detecting-s3-data-exfiltration-attempts skill for Security Audit, incident response, and suspicious bulk-download analysis.

Security Audit

Favorites 0GitHub 6.2k

building-incident-response-playbook

by mukul975

building-incident-response-playbook helps security teams create reusable incident response playbooks with step-by-step phases, decision trees, escalation criteria, RACI ownership, and SOAR-ready structure. It is designed for incident response procedure documentation, incident triage workflows, and audit-friendly operational response plans.

Incident Triage

Favorites 0GitHub 6.1k

building-patch-tuesday-response-process

by mukul975

building-patch-tuesday-response-process helps teams build a repeatable Microsoft Patch Tuesday process to triage advisories, rank risk, test patches, approve rollout, and track compliance. Useful for security operations, vulnerability management, and building-patch-tuesday-response-process for Project Management.

Project Management

Favorites 0GitHub 6.1k

ossfuzz

by trailofbits

Learn the ossfuzz skill for continuous fuzzing setup, project enrollment, harness planning, and build workflow review. This guide helps security engineers and maintainers assess readiness, spot build blockers, and prepare a practical path from source tree to OSS-Fuzz or private fuzzing infrastructure.

Security Audit

Favorites 0GitHub 5k

codeql

by trailofbits

The codeql skill helps you run CodeQL with fewer blind spots during a security audit. It focuses on database quality, suite selection, data extensions, and SARIF review so you can use codeql usage more reliably across supported languages. Use it for repeatable codeql guide steps when analyzing real repositories.

Security Audit

Favorites 0GitHub 5k

semgrep-rule-creator

by trailofbits

semgrep-rule-creator creates production-quality Semgrep rules for security vulnerabilities, bug patterns, taint-flow detections, and coding standards. Use the semgrep-rule-creator skill for Security Audit work when you need precise rules, test cases, and validation instead of a generic draft.

Security Audit

Favorites 0GitHub 5k

insecure-defaults

by trailofbits

The insecure-defaults skill helps spot fail-open configuration patterns that let software run with unsafe settings instead of stopping. Use it for a Security Audit of production code, deployment configs, and secret-handling logic to catch weak auth, hardcoded secrets, and permissive defaults.

Security Audit

Favorites 0GitHub 5k

constant-time-analysis

by trailofbits

constant-time-analysis is a security-audit skill for finding timing side-channel risks in cryptographic code before they become exploitable bugs. Use it to review secret-dependent math, branches, comparisons, and compiled output when checking C, C++, Go, Rust, Swift, Java, Kotlin, PHP, JavaScript, TypeScript, Python, or Ruby.

Security Audit

Favorites 0GitHub 5k

secure-workflow-guide

by trailofbits

secure-workflow-guide guides a 5-step Solidity security workflow: Slither triage, feature-specific checks, visual inspection, security-property notes, and manual review. It is built for smart contract teams, auditors, and builders who want a repeatable secure-workflow-guide guide before deployment or release.

Security Audit

Favorites 0GitHub 4.9k