OS Credential Dumping `T1003`

Tactic: Credential Access

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures. Credentials can then be used to perform Lateral Movement and access restricted information.

Events covered

61 catalog events are tagged with this technique by at least one rule.

Provider	Event	Title
Sysmon	Event ID 1	Process creation
Sysmon	Event ID 5	Process terminated
Sysmon	Event ID 7	Image loaded
Sysmon	Event ID 8	CreateRemoteThread
Sysmon	Event ID 10	ProcessAccess
Sysmon	Event ID 11	FileCreate
Sysmon	Event ID 12	RegistryEvent (Object create and delete)
Sysmon	Event ID 13	RegistryEvent (Value Set)
Sysmon	Event ID 14	RegistryEvent (Key and Value Rename)
Sysmon	Event ID 17	PipeEvent (Pipe Created)
Sysmon	Event ID 18	PipeEvent (Pipe Connected)
Security-Auditing	Event ID 4624	An account was successfully logged on.
Security-Auditing	Event ID 4648	A logon was attempted using explicit credentials.
Security-Auditing	Event ID 4656	A handle to an object was requested.
Security-Auditing	Event ID 4657	A registry value was modified.
Security-Auditing	Event ID 4661	A handle to an object was requested.
Security-Auditing	Event ID 4662	An operation was performed on an object.
Security-Auditing	Event ID 4663	An attempt was made to access an object.
Security-Auditing	Event ID 4672	Special privileges assigned to new logon.
Security-Auditing	Event ID 4673	A privileged service was called.
Security-Auditing	Event ID 4674	An operation was attempted on a privileged object.
Security-Auditing	Event ID 4688	A new process has been created.
Security-Auditing	Event ID 4689	A process has exited.
Security-Auditing	Event ID 4690	An attempt was made to duplicate a handle to an object.
Security-Auditing	Event ID 4692	Backup of data protection master key was attempted.
Security-Auditing	Event ID 4697	A service was installed in the system.
Security-Auditing	Event ID 4703	A user right was adjusted.
Security-Auditing	Event ID 4728	A member was added to a security-enabled global group.
Security-Auditing	Event ID 4732	A member was added to a security-enabled local group.
Security-Auditing	Event ID 4756	A member was added to a security-enabled universal group.
Security-Auditing	Event ID 4768	A Kerberos authentication ticket (TGT) was requested.
Security-Auditing	Event ID 4769	A Kerberos service ticket was requested.
Security-Auditing	Event ID 4904	An attempt was made to register a security event source.
Security-Auditing	Event ID 4905	An attempt was made to unregister a security event source.
Security-Auditing	Event ID 5136	A directory service object was modified.
Security-Auditing	Event ID 5145	A network share object was checked to see whether client can be granted desired access.
Security-Auditing	Event ID 5382	Vault credentials were read.
Application-Error	Event ID 1000	Faulting application name: Faulting_application_name, version: version, time stamp: 0xFaulting_module_name.
Defender-DeviceEvents	OpenProcessApiCall	Process opened (OpenProcess API call)
Defender-DeviceEvents	ProcessPrimaryTokenModified	Process primary token modified
Defender-DeviceNetworkEvents	NetworkSignatureInspected	Network signature inspected
Defender-DeviceProcessEvents	any	Process activity (any)
Defender-DeviceProcessEvents	ProcessCreated	Process created
ESENT	Event ID 216	Event ID 216
ESENT	Event ID 325	Event ID 325
ESENT	Event ID 326	Event ID 326
ESENT	Event ID 327	Event ID 327
Linux-Auditd	Event ID 1302	PATH
Kernel-Audit-API-Calls	Event ID 5	OpenProcess API call audited
Kernel-General	Event ID 16	The access history in hive HiveName was cleared updating KeysUpdated keys and creating DirtyPages modified pages.
Ntfs	Event ID 98	Volume DriveName (DeviceName) CorruptionActionState.
PowerShell	Event ID 4103	Payload Context: ContextInfo User Data: UserData.
PowerShell	Event ID 4104	Creating Scriptblock text (MessageNumber of MessageTotal).
Windows-Defender	Event ID 1116	Product Name has detected malware or other potentially unwanted software.
Windows-Defender	Event ID 1117	Product Name has taken action to protect this machine from malware or other potentially unwanted software.
Windows-Defender	Event ID 1121	Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
PowerShell	Event ID 800	Event ID 800
Service-Control-Manager	Event ID 7045	A service was installed in the system.
Sysmon-for-Linux	Event ID 1	Process Create
VSSAudit	Event ID 8222	Event ID 8222
Windows-Error-Reporting	Event ID 1001	Fault bucket , type.

Authoring guide

Patterns shared across the 389 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (209 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`CommandLine`	110	`contains` 79, `regex_match` 19, `match` 6, `in` 5, `wildcard` 5, `ends_with` 2, `starts_with` 2, `eq` 1	`--full` , `--name` , `-f` , `(?i)ntds\.dit`, `create`
`Image`	94	`ends_with` 74, `contains` 14, `eq` 11, `regex_match` 7, `is_not_null` 2, `starts_with` 2, `wildcard` 1	`\powershell.exe`, `\pwsh.exe`, `\rundll32.exe`, `\\lsass\.exe$`, `\ntdsutil.exe`
`EventID`	71	`eq` 70, `in` 1	`4688`, `1`, `4104`, `10`, `4656`
`process_name`	66	`eq` 43, `ends_with` 10, `in` 6, `regex_match` 4, `contains` 3, `match` 3, `is_not_null` 1, `ne` 1, `starts_with` 1, `wildcard` 1	`cat`, `cmd.exe`, `powershell.exe`, `(?i)adexplorer(64)?\|adexp\.exe`, `\lsass.exe`
`OriginalFileName`	55	`eq` 53, `in` 2, `contains` 1, `is_null` 1	`powershell.exe`, `cmd.exe`, `reg.exe`, `appcmd.exe`, `fx_ver_internalname_str`
`event.type`	33	`eq` 29, `in` 3, `ne` 1	`start`, `creation`, `change`, `process_started`, `deletion`
`TargetFilename`	28	`ends_with` 13, `contains` 10, `regex_match` 8, `eq` 2, `starts_with` 2, `wildcard` 2	`.dmp`, `\.dmp$`, `\lsass`, `\ntds.dit`, `lsass.dmp`
`TargetImage`	28	`ends_with` 23, `eq` 4, `in` 1	`\lsass.exe`, `lsass.exe`, `?:\windows\system32\lsass.exe`, `\\lsass.exe`, `\system32\lsass.exe`
`EventType`	26	`eq` 14, `in` 9, `ne` 2, `wildcard` 1	`exec`, `exec_event`, `ProcessRollup2`, `IntrusionEvent`, `creation`
`process.args`	20	`eq` 14, `wildcard` 7, `starts_with` 5, `contains` 3, `in` 3, `match` 1	`connectionstring`, `--exec`, `--json`, `--pid`, `--reference=`
`GrantedAccess`	17	`eq` 14, `ends_with` 5, `contains` 1, `in` 1, `starts_with` 1	`0x1010`, `0x1410`, `0x1fffff`, `0x1418`, `0x1438`
`ScriptBlockText`	16	`contains` 8, `in` 6, `eq` 3	`cert_system_store_local_machine`, `crypto::certificates`, `).create(`, `-dumpcr`, `[system.io.file]::copy`
`Type`	14	`eq` 14
`host.os.type`	14	`eq` 14
`CallTrace`	13	`contains` 12, `ends_with` 1, `in` 1, `match` 1, `starts_with` 1	`dbgcore.dll`, `dbghelp.dll`, `seclogon.dll`, `)`, `dbgcore.dll`

Top indicator values (2647 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Field	Kind	Value	Rules (here)	Corpus reach
`event.type`	`eq`	`start` elasticCredential Access via TruffleHog Execution elasticCredential Acquisition via Registry Hive Dumping elasticLinux Process Hooking via GDB elasticManual Memory Dumping via Proc Filesystem elasticMicrosoft IIS Connection Strings Decryption elasticMicrosoft IIS Service Account Password Dumped elasticNTDS Dump via Wbadmin elasticNTDS or SAM Database File Copied elasticPotential Credential Access via Renamed COM+ Services DLL elasticPotential Credential Access via Trusted Developer Utility elasticPotential Credential Access via Windows Utilities elasticPotential Linux Credential Dumping via Unshadow elasticPotential Privilege Escalation via Linux DAC permissions elasticPotential Secret Scanning via Gitleaks elasticPotential Unauthorized Access via Wildcard Injection Detected elasticPotential Veeam Credential Access Command elasticSearching for Saved Credentials via VaultCmd elasticSuspicious /proc/maps Discovery elasticSuspicious Execution from Foomatic-rip or Cupsd Parent elasticSuspicious Execution via Windows Subsystem for Linux elasticSuspicious Symbolic Link Created elasticSymbolic Link to Shadow Copy Created elasticVeeam Backup Library Loaded by Unusual Process elasticWireless Credential Dumping using Netsh Command	24	606
`EventID`	`eq`	`4688` splunkADExplorer Execution (Windows Event Log) splunkADExplorer Snapshot Creation (Windows Event Log) splunkCommon LSASS Memory Dump Behavior (Windows Event Log) splunkcomsvcs.dll Lsass Memory Dump (Windows Event Log) splunkDump File Identified (Windows Event Log) splunkEsentutl Execution (Windows Event Log) splunkMimikatz (Windows Event Log) splunkMimikatz Execution (Windows Event Log) splunkMultiDump.exe Execution (Windows Event Log) splunkntds.dit Access from Unexpected Location (Windows Event Log) splunkntds.dit Command Line (Windows Event Log) splunkNTDSUtil.exe execution (Windows Event Log) splunkPossible Credential Dumping via Windows Network Providers (Windows Event Log) splunkpypykatz commands (Windows Event Log) splunkRdrLeakDiag.exe Memory Dump (Windows Event Log) splunkSuspicious ntds.dit Commands (Windows Event Log) splunkTask Manager lsass Dump (Windows Event Log) splunkWDigest Forced Credential Caching (Windows Event Log) kustoPowershell Empire Cmdlets Executed in Command Line	19	313
`EventID`	`eq`	`1` splunkADExplorer Execution (Sysmon) splunkADExplorer Snapshot Creation (Sysmon) splunkcomsvcs.dll Lsass Memory Dump (Sysmon) splunkEsentutl Execution (Sysmon) splunkMimikatz (Sysmon) splunkMultiDump.exe Execution (Sysmon) splunkntds.dit Access from Unexpected Location (Sysmon) splunkntds.dit Command Line (Sysmon) splunkNTDSUtil.exe execution (Sysmon) splunkRdrLeakDiag.exe Memory Dump (Sysmon) splunkSuspicious ntds.dit Commands (Sysmon) splunkWDigest Forced Credential Caching (Sysmon) kustoEuropium - Hash and IP IOCs - September 2022	13	237
`EventID`	`eq`	`4104` splunkDetect Copy of ShadowCopy with Script Block Logging splunkDetect Mimikatz With PowerShell Script Block Logging splunkDump File Identified (PowerShell) splunkEsentutl Execution (PowerShell) splunkntds.dit Command Line (PowerShell) splunkPossible Credential Dumping via Windows Network Providers (PowerShell) splunkRdrLeakDiag.exe Memory Dump (PowerShell) splunkSuspicious ntds.dit Commands (PowerShell) splunkWDigest Forced Credential Caching (PowerShell) splunkWindows LAPS Password Gathering Via PowerShell Script	10	268
`EventID`	`eq`	`10` splunkAccess LSASS Memory for Dump Creation splunkDetect Credential Dumping through LSASS access splunkMimikatz (Sysmon) splunkWindows Hunting System Account Targeting Lsass splunkWindows Non-System Account Targeting Lsass splunkWindows Possible Credential Dumping kustoDumping LSASS Process Into a File	7	16
`EventID`	`eq`	`4656` splunkBrowser Credential File Accessed - Windows (Windows Event Log) splunkCommon LSASS Memory Dump Behavior (Windows Event Log) splunkLSASS Handle request (Windows Event Log) splunkMimikatz (Windows Event Log) splunkPotential Credential Dumping of LSASS (Windows Event Log) splunkPotential nanodump execution (Windows Event Log) splunkTask Manager lsass Dump (Windows Event Log)	7	19
`EventID`	`eq`	`4663` splunkBrowser Credential File Accessed - Windows (Windows Event Log) splunkPotential Credential Dumping of LSASS (Windows Event Log) splunkPotential nanodump execution (Windows Event Log) splunkSAM Database File Access Attempt splunkSAM, System, Security Files Accessed (Windows Event Log) splunkTask Manager lsass Dump (Windows Event Log)	6	34
`EventID`	`eq`	`4103` splunkDump File Identified (PowerShell) splunkEsentutl Execution (PowerShell) splunkntds.dit Command Line (PowerShell) splunkPossible Credential Dumping via Windows Network Providers (PowerShell) splunkRdrLeakDiag.exe Memory Dump (PowerShell)	5	105
`EventID`	`eq`	`4662` splunkExcessive DRSGetNCChanges Requests (Windows Event Log) splunkPotential DCSync (Windows Event Log) splunkWindows AD Replication Request Initiated by User Account splunkWindows AD Replication Request Initiated from Unsanctioned Location kustoNon Domain Controller Active Directory Replication	5	13
`TargetImage`	`ends_with`	`\lsass.exe` sigmaCredential Dumping Activity By Python Based Tool sigmaCredential Dumping Attempt Via WerFault sigmaHackTool - HandleKatz Duplicating LSASS Handle sigmaLSASS Access From Potentially White-Listed Processes sigmaLSASS Access From Program In Potentially Suspicious Folder sigmaLSASS Memory Access by Tool With Dump Keyword In Name sigmaLsass Memory Dump via Comsvcs DLL sigmaPassword Dumper Remote Thread in LSASS sigmaPotential Credential Dumping Activity Via LSASS sigmaPotential Credential Dumping Attempt Via PowerShell sigmaPotential Credential Dumping Attempt Via PowerShell Remote Thread sigmaPotentially Suspicious GrantedAccess Flags On LSASS sigmaRemote LSASS Process Access Through Windows Remote Management sigmaSuspicious LSASS Access Via MalSecLogon sigmaSuspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs sigmaUncommon GrantedAccess Flags On LSASS	16	16
`SubjectUserName`	`ends_with`	`$` sigmaActive Directory Replication from Non Machine Account sigmaBackdoor introduction via registry permission change through WMI (DAMP) sigmaLSASS Access From Non System Account sigmaLSASS credential dump with LSASSY (kernel access) sigmaLSASS process dump by a non system account sigmaMimikatz DC Sync sigmaNetSYnc attack sigmaReplication privileges accessed to perform DCSync attack sigmaSAM database user credentials dump with Mimikatz	9	3
`event.category`	`eq`	`process` elasticPotential Invoke-Mimikatz PowerShell Script elasticPotential LSASS Memory Dump via PssCaptureSnapShot elasticPotential PowerShell HackTool Script by Function Names elasticPotential Privilege Escalation via Linux DAC permissions elasticPotential Shadow File Read via Command Line Utilities elasticPowerShell Invoke-NinjaCopy script elasticPowerShell Kerberos Ticket Dump elasticPowerShell MiniDump Script elasticPowerShell Script with Veeam Credential Access Capabilities	9	128
`EventType`	`in`	`exec` elasticLinux Process Hooking via GDB elasticManual Memory Dumping via Proc Filesystem elasticPotential Linux Credential Dumping via Proc Filesystem elasticPotential Linux Credential Dumping via Unshadow elasticPotential Shadow File Read via Command Line Utilities elasticPotential Unauthorized Access via Wildcard Injection Detected elasticSuspicious /proc/maps Discovery elasticSuspicious Execution from Foomatic-rip or Cupsd Parent	8	171
`EventType`	`in`	`exec_event` elasticLinux Process Hooking via GDB elasticManual Memory Dumping via Proc Filesystem elasticPotential Linux Credential Dumping via Proc Filesystem elasticPotential Linux Credential Dumping via Unshadow elasticPotential Shadow File Read via Command Line Utilities elasticPotential Unauthorized Access via Wildcard Injection Detected elasticSuspicious /proc/maps Discovery elasticSuspicious Execution from Foomatic-rip or Cupsd Parent	8	139
`EventType`	`in`	`start` elasticLinux Process Hooking via GDB elasticManual Memory Dumping via Proc Filesystem elasticPotential Linux Credential Dumping via Proc Filesystem elasticPotential Linux Credential Dumping via Unshadow elasticPotential Unauthorized Access via Wildcard Injection Detected elasticSuspicious /proc/maps Discovery elasticSuspicious Execution from Foomatic-rip or Cupsd Parent	7	134
`EventType`	`in`	`ProcessRollup2` elasticLinux Process Hooking via GDB elasticManual Memory Dumping via Proc Filesystem elasticPotential Linux Credential Dumping via Unshadow elasticPotential Unauthorized Access via Wildcard Injection Detected elasticSuspicious /proc/maps Discovery elasticSuspicious Execution from Foomatic-rip or Cupsd Parent	6	117
`Image`	`ends_with`	`\rundll32.exe` sigmaDbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process sigmaLSASS credential dump with LSASSY (process) sigmaLsass Memory Dump via Comsvcs DLL sigmaNotPetya Ransomware Activity sigmaNTDS.DIT Creation By Uncommon Process sigmaProcess Memory Dump Via Comsvcs.DLL sigmaSuspicious Renamed Comsvcs DLL Loaded By Rundll32	7	95
`Image`	`ends_with`	`\powershell.exe` sigmaLSASS credential dump with LSASSY (process) sigmaNTDS.DIT Creation By Uncommon Process sigmaPotential Credential Dumping Attempt Via PowerShell sigmaPotential Credential Dumping Attempt Via PowerShell Remote Thread sigmaShadow Copies Creation Using Operating Systems Utilities	5	182
`CommandLine`	`contains`	`lsass` sigmaHackTool - HandleKatz LSASS Dumper Execution sigmaLSASS Dump Keyword In CommandLine sigmaPotential SysInternals ProcDump Evasion kustoDopplePaymer Procdump kustoLSASS Credential Dumping with Procdump chronicleLSASS Dump Keyword In CommandLine	6	9
`CommandLine`	`contains`	`.dmp` sigmaHackTool - HandleKatz LSASS Dumper Execution sigmaLSASS Dump Keyword In CommandLine sigmaRenamed CreateDump Utility Execution chronicleLSASS Dump Keyword In CommandLine chronicleRenamed CreateDump Utility Execution	5	10
`CommandLine`	`contains`	`\windows\ntds\ntds.dit` sigmaCopying Sensitive Files with Credential Data sigmaSensitive File Dump Via Print.EXE sigmaSensitive File Dump Via Wbadmin.EXE sigmaSensitive File Recovery From Backup Via Wbadmin.EXE sigmaSuspicious Process Patterns NTDS.DIT Exfil	5	5
`CommandLine`	`contains`	`create` sigmaIFM creation detected from commandline (installation from media) sigmaShadow Copies Creation Using Operating Systems Utilities splunkCreation of Shadow Copy splunkCreation of Shadow Copy with wmic and powershell splunkNtdsutil Export NTDS	5	24
`DeviceProduct`	`eq`	`X Series` kustoVectra Account's Behaviors kustoVectra AI Detect - Detections with High Severity kustoVectra AI Detect - Suspected Compromised Account kustoVectra AI Detect - Suspected Compromised Host kustoVectra AI Detect - Suspicious Behaviors by Category kustoVectra Host's Behaviors	6	7
`DeviceVendor`	`eq`	`Vectra Networks` kustoVectra Account's Behaviors kustoVectra AI Detect - Detections with High Severity kustoVectra AI Detect - Suspected Compromised Account kustoVectra AI Detect - Suspected Compromised Host kustoVectra AI Detect - Suspicious Behaviors by Category kustoVectra Host's Behaviors	6	7
`MessageType`	`eq`	`2` kustoAlsid DCSync kustoAlsid LSASS Memory kustoTenable.ad DCSync kustoTenable.ad LSASS Memory kustoTIE DCSync kustoTIE LSASS Memory	6	21
`Properties`	`contains`	`1131f6aa-9c07-11d1-f79f-00c04fc2dcd2` sigmaActive Directory Replication from Non Machine Account sigmaMimikatz DC Sync sigmaReplication privileges accessed to perform DCSync attack elasticFirst Time Seen Account Performing DCSync elasticPotential Credential Access via DCSync kustoNon Domain Controller Active Directory Replication	6	6
`Properties`	`contains`	`1131f6ad-9c07-11d1-f79f-00c04fc2dcd2` sigmaActive Directory Replication from Non Machine Account sigmaMimikatz DC Sync sigmaReplication privileges accessed to perform DCSync attack elasticFirst Time Seen Account Performing DCSync elasticPotential Credential Access via DCSync kustoNon Domain Controller Active Directory Replication	6	6
`Properties`	`contains`	`89e95b76-444d-4c62-991a-0facbeda640c` sigmaActive Directory Replication from Non Machine Account sigmaMimikatz DC Sync sigmaReplication privileges accessed to perform DCSync attack elasticFirst Time Seen Account Performing DCSync elasticPotential Credential Access via DCSync kustoNon Domain Controller Active Directory Replication	6	6
`AccessMask`	`eq`	`0x100` sigmaActive Directory Replication from Non Machine Account sigmaMimikatz DC Sync elasticPotential Credential Access via DCSync splunkWindows AD Replication Request Initiated by User Account splunkWindows AD Replication Request Initiated from Unsanctioned Location	5	5
`GrantedAccess`	`eq`	`0x1fffff` sigmaCredential Dumping Activity By Python Based Tool sigmaCredential Dumping Attempt Via WerFault sigmaLSASS Access From Program In Potentially Suspicious Folder sigmaLSASS dump via process access kustoDumping LSASS Process Into a File	5	9

Exclusions (560 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Field	Kind	Value	Rules excluding
`SubjectUserName`	`ends_with`	`$` sigmaActive Directory Replication from Non Machine Account sigmaBackdoor introduction via registry permission change through WMI (DAMP) sigmaLSASS Access From Non System Account sigmaLSASS credential dump with LSASSY (kernel access) sigmaLSASS process dump by a non system account sigmaMimikatz DC Sync sigmaNetSYnc attack sigmaReplication privileges accessed to perform DCSync attack sigmaSAM database user credentials dump with Mimikatz elasticFirst Time Seen Account Performing DCSync elasticPotential Credential Access via DCSync	11
`SubjectUserName`	`starts_with`	`MSOL_` sigmaActive Directory Replication from Non Machine Account sigmaMimikatz DC Sync elasticFirst Time Seen Account Performing DCSync elasticPotential Credential Access via DCSync	4
`Image`	`ends_with`	`\aurora-agent-64.exe` sigmaLSASS Access From Program In Potentially Suspicious Folder sigmaPotentially Suspicious GrantedAccess Flags On LSASS sigmaUncommon GrantedAccess Flags On LSASS	3
`Image`	`ends_with`	`\aurora-agent.exe` sigmaLSASS Access From Program In Potentially Suspicious Folder sigmaPotentially Suspicious GrantedAccess Flags On LSASS sigmaUncommon GrantedAccess Flags On LSASS	3
`Image`	`ends_with`	`\mbaminstallerservice.exe` sigmaLSASS Access From Program In Potentially Suspicious Folder sigmaPotentially Suspicious GrantedAccess Flags On LSASS sigmaUncommon GrantedAccess Flags On LSASS	3
`Image`	`ends_with`	`\thor.exe` sigmaLSASS Access From Program In Potentially Suspicious Folder sigmaPotentially Suspicious GrantedAccess Flags On LSASS sigmaUncommon GrantedAccess Flags On LSASS	3
`Image`	`ends_with`	`\thor64.exe` sigmaLSASS Access From Program In Potentially Suspicious Folder sigmaPotentially Suspicious GrantedAccess Flags On LSASS sigmaUncommon GrantedAccess Flags On LSASS	3
`SubjectUserSid`	`eq`	`S-1-5-18` sigmaGroup Managed Service Accounts password dump - GoldenGMSA elasticAccess to a Sensitive LDAP Attribute splunkWindows AD Replication Request Initiated by User Account	3
`process_name`	`eq`	`c:\windows\system32\wbem\wmiprvse.exe` sigmaLSASS Access Detected via Attack Surface Reduction sigmaLSASS Access From Non System Account elasticLSASS Memory Dump Handle Access	3
`user.id`	`eq`	`S-1-5-18` elasticFull User-Mode Dumps Enabled System-Wide elasticModification of WDigest Security Provider elasticSensitive Registry Hive Access via RegBack	3
`GrantedAccess`	`eq`	`0x1410` sigmaLSASS Access From Program In Potentially Suspicious Folder sigmaUncommon GrantedAccess Flags On LSASS	2
`GrantedAccess`	`eq`	`0x40` sigmaPotentially Suspicious GrantedAccess Flags On LSASS elasticSuspicious Lsass Process Access	2
`GrantedAccess`	`eq`	`0x410` sigmaLSASS Access From Program In Potentially Suspicious Folder sigmaUncommon GrantedAccess Flags On LSASS	2
`Image`	`contains`	`\appdata\local\` sigmaLSASS Access From Program In Potentially Suspicious Folder sigmaUncommon GrantedAccess Flags On LSASS	2
`Image`	`contains`	`\appdata\local\temp\` sigmaLSASS Access From Program In Potentially Suspicious Folder sigmaUncommon GrantedAccess Flags On LSASS	2

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

OS Credential Dumping `T1003`

Events covered

Authoring guide

Fields filtered most (209 distinct)

Top indicator values (2647 distinct)

Exclusions (560 distinct)

Rules under this technique

Sigma 170 rules

Elastic 68 rules

Splunk 94 rules

Kusto 33 rules

YARA-L 21 rules

Panther 3 rules

Keyboard shortcuts

Search operators

OS Credential Dumping T1003

Events covered

Authoring guide

Fields filtered most (209 distinct)

Top indicator values (2647 distinct)

Exclusions (560 distinct)

Rules under this technique

Sigma 170 rules

Elastic 68 rules

Splunk 94 rules

Kusto 33 rules

YARA-L 21 rules

Panther 3 rules

OS Credential Dumping `T1003`