Windows LAPS Credential Dump From Entra ID
Detects when an account dumps the LAPS password from Entra ID.
Sigma rule (View on GitHub)
1title: Windows LAPS Credential Dump From Entra ID
2id: a4b25073-8947-489c-a8dd-93b41c23f26d
3status: test
4description: Detects when an account dumps the LAPS password from Entra ID.
5references:
6 - https://twitter.com/NathanMcNulty/status/1785051227568632263
7 - https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/
8 - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487
9author: andrewdanis
10date: 2024-06-26
11tags:
12 - attack.privilege-escalation
13 - attack.persistence
14 - attack.t1098.005
15logsource:
16 product: azure
17 service: auditlogs
18detection:
19 selection:
20 category: 'Device'
21 activityType|contains: 'Recover device local administrator password'
22 additionalDetails.additionalInfo|contains: 'Successfully recovered local credential by device id'
23 condition: selection
24falsepositives:
25 - Approved activity performed by an Administrator.
26level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Windows LAPS provides centralized, simple and secure management of local administrator passwords in Microsoft Intune.
Read More -
Check out Windows Local Administrator Password Solution to keep your Windows devices in Azure AD secure!
Read More
Related rules
- Suspicious SQL Query
- Kapeka Backdoor Scheduled Task Creation
- Aruba Network Service Potential DLL Sideloading
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path