detecting-t1003-credential-dumping-with-edr
by mukul975detecting-t1003-credential-dumping-with-edr skill for threat hunting with EDR, Sysmon, and Windows event correlation to detect LSASS, SAM, NTDS.dit, LSA secrets, and cached credential dumping. Use it to validate alerts, scope incidents, and reduce false positives with practical workflow guidance.
This skill scores 82/100, which means it is a solid listing candidate for directory users. It offers a concrete, security-focused workflow for detecting T1003 credential dumping with EDR/Sysmon evidence, so agents can trigger and use it with less guesswork than a generic prompt, though it is more hunting-oriented than turnkey.
- Specific trigger and scope for credential dumping hunts across LSASS, SAM, NTDS.dit, and cached creds.
- Strong operational scaffolding: prerequisites, phased workflow, and detection examples for Sysmon, Windows Security logs, and EDR queries.
- Useful supporting artifacts including two scripts, references, and a reusable hunt template that improve agent leverage.
- No install command in SKILL.md, so users may need to infer setup and execution flow.
- Some repository evidence is hunt-content heavy rather than agent-execution focused, so adoption may still require analyst tuning for each EDR/SIEM.
Overview of detecting-t1003-credential-dumping-with-edr skill
What this skill does
The detecting-t1003-credential-dumping-with-edr skill helps threat hunters detect T1003 credential dumping by correlating EDR telemetry, Sysmon process access, and Windows security events. It is built for analysts who need to determine whether LSASS, SAM, NTDS.dit, LSA secrets, or cached credentials were targeted, not just whether a single alert fired.
Who should use it
Use the detecting-t1003-credential-dumping-with-edr skill if you already have EDR, Sysmon, or Windows auditing data and want a faster path from suspicion to validated hunt results. It fits incident responders, detection engineers, and detecting-t1003-credential-dumping-with-edr for Threat Hunting use cases where the goal is scoping, confirmation, and control validation.
Why it is useful
The main value is practical correlation: suspicious LSASS access, known dumping tools, and registry or file activity are treated as one hunting problem. That makes the skill more useful than a generic prompt because it gives you a concrete workflow, event IDs, access masks, and likely false-positive filters to start from.
How to Use detecting-t1003-credential-dumping-with-edr skill
Install and open the right files
For detecting-t1003-credential-dumping-with-edr install, add the skill from the repo, then read SKILL.md first and use the supporting files as evidence, not decoration. The most useful paths are assets/template.md for reporting structure, references/workflows.md for hunt phases, references/api-reference.md for event/query details, and references/standards.md for access-mask and control context.
Give the skill a real hunting question
The detecting-t1003-credential-dumping-with-edr usage works best when you provide a bounded objective, data source, and host scope. Strong input looks like: “Hunt for LSASS dumping on Windows endpoints over the last 24 hours using Sysmon Event 10 and Defender for Endpoint alerts; prioritize admin workstations and return suspicious source processes, command lines, and access masks.” Weak input like “look for malware” forces guesswork and loses the EDR-specific logic.
Use the workflow in the order it was designed
Start with LSASS process access, then check for known credential-dumping command lines, then look for NTDS.dit or registry hive extraction, and only then expand to lateral movement. That order matters because it separates direct credential-access evidence from downstream impact, which reduces noise and helps you decide whether to escalate to incident response.
Tune the query inputs, not just the prompt
If your telemetry is noisy, specify the event source and the fields you actually have. For example, ask the skill to map Sysmon Event ID 10, Windows 4688, or EDR process-lineage fields to the hunt template. If you have only one source, say so up front; if you have multiple sources, ask for correlation rules between them so the output does not overfit one log type.
detecting-t1003-credential-dumping-with-edr skill FAQ
Is this only for LSASS dumping?
No. The detecting-t1003-credential-dumping-with-edr guide also covers SAM, NTDS.dit, LSA secrets, cached domain credentials, and DCSync indicators. LSASS access is the fastest signal, but the skill is broader because real attackers often mix memory access with registry and directory replication abuse.
How is this different from a normal prompt?
A normal prompt may identify T1003 concepts, but the skill gives you a repeatable hunt structure, concrete event references, and a template for reporting findings. That is the main advantage when you need detecting-t1003-credential-dumping-with-edr usage to produce actionable output instead of a generic summary.
Do I need a specific EDR?
No single EDR is required, but the skill is strongest when your platform exposes process access, command line, and alert evidence fields. It aligns well with common EDR stacks plus Sysmon and Windows auditing; if your environment lacks LSASS visibility or process creation logging, the results will be weaker.
When should I not use it?
Do not rely on it when you only need broad malware triage without Windows credential-access telemetry, or when you cannot collect enough host context to distinguish legitimate admin tools from dumping activity. In those cases, a narrower prompt or a different detection skill will be faster.
How to Improve detecting-t1003-credential-dumping-with-edr skill
Feed it better evidence
The best outputs come from precise inputs: hostnames, time window, parent process, command line, user context, access mask, and alert source. If you can, include one or two suspicious examples such as mimikatz sekurlsa::logonpasswords, procdump -ma lsass.exe, or reg save hklm\sam, because those anchor the hunt around known patterns without forcing the skill to invent them.
Reduce false positives early
Tell the skill which processes are expected in your environment, especially legitimate security tooling, admin utilities, and support agents that may touch LSASS or create process-access noise. This matters because detecting-t1003-credential-dumping-with-edr is strongest when it can separate normal admin behavior from suspicious access masks and unusual parent-child chains.
Iterate from detection to scope
After the first pass, ask for the next decision you need: confirm compromise, find related hosts, or extract a report-ready timeline. A good follow-up is: “Using the same telemetry, summarize likely compromised systems, the evidence for each, and whether the signal points to T1003.001, T1003.002, or T1003.003.” That turns the skill from a search aid into an investigation workflow.
Use the template to standardize output
Map findings into assets/template.md so each hunt has the same fields for hypothesis, LSASS access, tool detections, impact, and response. Standardization improves the detecting-t1003-credential-dumping-with-edr skill because it forces the output to answer the operational questions: what was accessed, how, on which host, and what should be reset or contained next.