threat hunt hypothesis generator — free browser tool | fatcousin

select mitre ttp · structured artifact checklist · spl and kql blocks · markdown playbook export · runs locally

select ttp

tactic filter

search technique id or name

87 matching ttp(s)

T1003.001 · OS Credential Dumping: LSASS Memory · Credential Access

hunting checklist

Process

lsass.exe accessed by non-system process · high
Sysmon Event 10 TargetImage=lsass.exe
tool: Sysmon
procdump64.exe execution · high
Prefetch/AmCache/ShimCache
tool: Velociraptor

Event Log

Registry

File

Network

comsvcs MiniDump via rundll32 · high
4688 rundll32 comsvcs.dll,MiniDump
tool: 4688 CSV

null result means

No LSASS access may mean dump used kernel driver or offline image analysis only.

hunt queries

splunk spl

index=windows EventCode=10 TargetImage="*lsass.exe"

export