credential-theft-hunt

Official

Hunt credential theft artifacts in memory images.

Authordreadnode
Version1.0.0
Installs0

System Documentation

What problem does it solve?

This Skill solves the critical incident response challenge of identifying and recovering credentials stolen via OS credential dumping during security breaches, eliminating time-consuming, error-prone manual analysis of Windows memory images for credential theft evidence.

Core Features & Use Cases

  • MITRE ATT&CK T1003 Mapping: Aligns findings to all OS Credential Dumping sub-techniques (T1003.001 through T1003.006) for standardized reporting.
  • Comprehensive Credential Extraction: Recovers SAM hashes, LSA secrets, cached domain credentials, Kerberos tickets, and LSASS memory credentials from Windows memory dumps.
  • Credential Theft Tooling Detection: Identifies artifacts of Mimikatz, Dumpert, NanoDump, and living-off-the-land LSASS dumping techniques via process analysis and YARA scanning.
  • Use Case: Incident response teams can use this Skill to quickly determine if an attacker harvested credentials from a compromised endpoint, and generate a seed set of affected accounts for mandatory password resets.

Quick Start

Use the credential-theft-hunt skill to analyze the provided Windows memory image, recover all accessible credentials, and identify any evidence of credential theft activity.

Dependency Matrix

Required Modules

None required

Components

Standard package

💻 Claude Code Installation

Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.

Please help me install this Skill:
Name: credential-theft-hunt
Download link: https://github.com/dreadnode/capabilities/archive/main.zip#credential-theft-hunt

Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
View Source Repository

Agent Skills Search Helper

Install a tiny helper to your Agent, search and equip skill from 536,000+ vetted skills library on demand.