« Multiple Logon Failure from the same Source Address NTDS or SAM Database File Copied »
Elastic Docs Elastic Security [8.19] Downloadable rule update v8.19.23

Potential Credential Access via Windows Utilities

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Potential Credential Access via Windows Utilities

edit

Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.

Rule type: eql

Rule indices:

  • endgame-*
  • logs-endpoint.events.process-*
  • logs-m365_defender.event-*
  • logs-sentinel_one_cloud_funnel.*
  • logs-system.security*
  • logs-windows.forwarded*
  • logs-windows.sysmon_operational-*
  • winlogbeat-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Credential Access
  • Tactic: Defense Evasion
  • Resources: Investigation Guide
  • Data Source: Elastic Endgame
  • Data Source: Elastic Defend
  • Data Source: Windows Security Event Logs
  • Data Source: Microsoft Defender XDR
  • Data Source: SentinelOne
  • Data Source: Sysmon

Version: 321

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Potential Credential Access via Windows Utilities

Possible investigation steps

  • Which utility path did the alert take, and is the binary identity credible?
  • Focus: process.name, process.pe.original_file_name, process.executable, process.command_line, and process.code_signature.subject_name.
  • Implication: escalate faster when the alert path is a dump-capable utility from a user-writable, renamed, missing expected signer, or unexpected location; lower suspicion only when the utility family, signer, installed path, and command pattern fit one recognized diagnostic, SQL troubleshooting, crash-triage, or AD maintenance workflow. Identity alone does not clear the behavior.
  • Do the arguments identify a credential-dump objective?
  • Focus: process.command_line: credential target, dump mode, script path, and output location.
  • Hint: high-risk examples include "procdump -ma lsass.exe", Rundll32/comsvcs MiniDump, ntdsutil IFM output, and "diskshadow.exe /s" scripts that expose, copy, exec, or delete shadow-copy paths.
  • Implication: escalate when arguments target LSASS, invoke Rundll32/comsvcs dumping, create NTDS/IFM output, drive VSS script execution, or write to user-writable or share paths; lower suspicion when the target is clearly non-credential and the output path matches the same recognized troubleshooting or backup workflow.
  • Does the parent chain explain why this host would run a dump or snapshot utility?
  • Focus: process.parent.executable, process.parent.command_line, process.Ext.ancestry, and process.Ext.session_info.logon_type, with user.id defining the actor scope.
  • Implication: escalate when the chain starts from shells, script hosts, Office processes, unexpected services, scheduled tasks, or remote-interactive sessions; lower suspicion only when the same actor, session type, and parent workflow explain the utility launch and do not conflict with command intent.
  • If file telemetry is available, did the utility create dump, shadow-copy, or directory database artifacts?
  • Focus: recover file events with host.id + process.entity_id; if process.entity_id is missing, use host.id + process.pid + a tight alert window, then review file.path, file.Ext.original.path, and file.Ext.header_bytes for dump files, copied directory-database material, IFM folders, registry hives, shadow-copy output, or archive staging. !{investigate{"description":"","label":"File activity for the alerting process and children","providers":[[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"file","valueType":"string"}],[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.parent.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"file","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
  • Implication: escalate when artifacts show LSASS dumps, AD database or credential-hive collection, shadow-copy access, or staged archives; close cannot rely on absent file events because missing file telemetry is unresolved, not benign.
  • Do child processes or connection events show collected material being staged or exported?
  • Focus: child process starts, file activity, and network activity where process.parent.entity_id matches the alerting process.entity_id on host.id; if network telemetry is available, review destination.ip, destination.port, and network.direction. !{investigate{"description":"","label":"Child processes of the alerting process","providers":[[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.parent.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"process","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}} !{investigate{"description":"","label":"Network activity for the alerting process and children","providers":[[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"network","valueType":"string"}],[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.parent.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"network","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
  • Hint: if the utility spawns a short-lived archiver or copy tool, pivot from that child into same-host connection events before broadening.
  • Implication: escalate when the utility or child process spawns archivers, copy tools, "diskshadow.exe" exec children, or transfers dump material off-host; missing network telemetry is unresolved, not benign.
  • If local findings remain suspicious or unresolved, do related alerts show broader credential-access activity?
  • Focus: related alerts for user.id covering dumping, privilege escalation, lateral movement, archiving, or staging. !{investigate{"description":"","label":"Alerts associated with the user","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"user.id","queryType":"phrase","value":"{{user.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
  • Hint: if the actor view is sparse, pivot to related alerts for host.id covering precursor access, persistence, archiving, or exfiltration. !{investigate{"description":"","label":"Alerts associated with the host","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
  • Implication: broaden when either view shows a credential-access chain or reuse of the same utility pattern; do not close solely because related alerts are absent if command intent, artifacts, lineage, or post-dump cleanup remain suspicious.
  • Disposition: escalate when utility identity, command intent, lineage, artifacts, staging, or related scope indicate credential access; close only when identity, arguments, lineage, recovered artifacts, and supported scope all align with one recognized diagnostic, troubleshooting, crash-triage, backup, or IFM workflow; preserve artifacts and escalate when evidence is mixed or visibility is incomplete.

False positive analysis

  • Recognized crash-triage, SQL troubleshooting, AD backup, or IFM workflows can trigger this rule. Confirm the same workflow across identity (process.executable, process.code_signature.subject_name), lineage (process.parent.executable), intent (process.command_line), actor/scope (user.id, host.id), and recovered artifact paths when available. Case records may corroborate the workflow, but do not close on recurrence alone; use prior alerts only after current telemetry aligns.
  • Build exceptions only from the confirmed recurring workflow: process.executable, process.code_signature.subject_name, process.parent.executable, stable process.command_line, user.id, host.id, and recovered output path or dump-directory pattern when available. Avoid exceptions on process.name, host.id, utility family, or generic dump switches alone.

Response and remediation

  • If confirmed benign, record the recognized diagnostic, backup, or directory-services evidence in process.executable, process.command_line, process.parent.executable, user.id, host.id, and recovered output paths when available, then reverse any temporary containment. Create an exception only if that same pattern recurs consistently across prior alerts from this rule.
  • If suspicious but unconfirmed, preserve the recovered process.entity_id or process.pid with host.id and time, process.command_line, script-file, dump, shadow-copy, and copied-database paths, child-process lineage via process.parent.entity_id / process.parent.pid, and any confirmed destination pairs before making destructive changes. Apply reversible containment first, such as temporary destination blocking or increased monitoring on the affected host.id and user.id. Escalate to host isolation only if dump material, IFM output, or staging transfers are confirmed and the host can tolerate interruption.
  • If confirmed malicious, use endpoint response actions to isolate the host and terminate the dump or staging process after preserving process.entity_id, process.parent.entity_id, process.command_line, recovered output paths, any available process.hash.sha256, and confirmed destinations. If direct endpoint response is unavailable, hand off that artifact set immediately to the team that can isolate the system or block the destinations.
  • If LSASS dumping is confirmed, assume exposure for all accounts with active sessions on the affected host, including interactive, service, and cached credentials. Prioritize resets for privileged, service, and lateral-movement-relevant accounts and review whether the dump material was staged or transferred before containment.
  • If NTDS access or dump activity is confirmed on a domain controller, activate the organization’s Active Directory compromise response plan, preserve the evidence needed to scope database and credential exposure, and begin privileged-account hygiene based on the systems and accounts implicated by the investigation before deleting copied database material.
  • Review related hosts and users for the same process.command_line patterns, dump-file naming patterns, process.parent.executable, and confirmed destinations before deleting dump files, IFM output, shadow copies, utilities, or persistence mechanisms uncovered during the investigation, then remediate the delivery or privilege path that allowed the utility to run.

Setup

edit

Setup

This rule is designed for data generated by Elastic Defend, which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.

Setup instructions: https://ela.st/install-elastic-defend

Additional data sources

This rule also supports the following third-party data sources. For setup instructions, refer to the links below:

Rule query

edit
process where host.os.type == "windows" and event.type == "start" and
(
  (
    (?process.pe.original_file_name : "procdump" or process.name : "procdump.exe") and process.args : "-ma"
  ) or
  (
    process.name : "ProcessDump.exe" and not process.parent.executable regex~ """C:\\Program Files( \(x86\))?\\Cisco Systems\\.*"""
  ) or
  (
    (?process.pe.original_file_name : "WriteMiniDump.exe" or process.name : "WriteMiniDump.exe") and
      not process.parent.executable regex~ """C:\\Program Files( \(x86\))?\\Steam\\.*"""
  ) or
  (
    (?process.pe.original_file_name : "RUNDLL32.EXE" or process.name : "RUNDLL32.exe") and
      (process.args : "*MiniDump*" or process.command_line : "*comsvcs*#*24*")
  ) or
  (
    (?process.pe.original_file_name : "RdrLeakDiag.exe" or process.name : "RdrLeakDiag.exe") and
      process.args : "/fullmemdmp"
  ) or
  (
    (?process.pe.original_file_name : "SqlDumper.exe" or process.name : "SqlDumper.exe") and
      process.args : "0x01100*") or
  (
    (?process.pe.original_file_name : "TTTracer.exe" or process.name : "TTTracer.exe") and
      process.args : "-dumpFull" and process.args : "-attach") or
  (
    (?process.pe.original_file_name : "ntdsutil.exe" or process.name : "ntdsutil.exe") and
      process.args : "cr*fu*") or
  (
    (?process.pe.original_file_name : "diskshadow.exe" or process.name : "diskshadow.exe") and process.args : "/s")
)

Framework: MITRE ATT&CKTM

« Multiple Logon Failure from the same Source Address NTDS or SAM Database File Copied »