This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.

Read More

Identify LAPS credential dumping by looking for users accessing objects via Event ID 4662, and login authentication events via Event ID 4624. The two events must contain the same LogonID to track the same logon session. NOTE - The TargetLogonId has to match the SubjectLogonId. Not sure how to implement the logic using sigma, so I have left it as a placeholder. Make sure to change it depending on the SIEM you are using.

Read More

Detects the use of lazagne looking into the command line execution.

Read More

Kerberos ticket files (.kirbi) are of interest to adversaries as they can contain sensitive data such as NTLM hashes that can be cracked offline. To perform these attacks, a unique file extension variable is defined within Mimikatz that designates the default extension as .kirbi. Part of the RedCanary 2024 Threat Detection Report.

Read More

Identifies processes in which Mimikatz module names are observed as command-line parameters. Part of the RedCanary 2024 Threat Detection Report.

Read More

Impacket’s SecretsDump utility consistently involves the Windows Service Host (svchost.exe) writing randomly named .tmp files to the System32 directory. The following pseudo-detector should offer defenders a reliable method of detecting Impacket's SecretsDump utility. Part of the RedCanary 2024 Threat Detection Report.

Read More

This detection analytic identifies Impacket’s secretsdump.py script on a target host, which is the most common script we have observed in customer environments. secretsdump.py is remotely run on an adversary’s machine to steal credentials. The command is commonly executed by svchost.exe, where regsvc.dll is loaded which allows the export of credentials from the registry. The output is redirected to an eight-character TMP file within the System32 directory. Part of the RedCanary 2024 Threat Detection Report.

Read More

Consider monitoring for instances of rundll32.exe running Windows native DLLs that have export functionalities that adversaries commonly leverage for executing malicious code and evading defensive controls. The following pseudo-analytic applies specifically to adversaries who use the MiniDump export functionality of comsvcs.dll to dump the contents of LSASS, but this logic could be adapted to detect other malicious activity as well. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects the use of lazagne using command line execution.

Read More

Detects the use of cmdkey to add, remove, or list credentials.

Read More

Detects attempts to retrieve/dump credentials using the DL_DRSGetNCChanges() method.

Read More

Detects potential LSASS abuse based on unusual parent-child process lineage patterns. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects suspicious cross-process events where LSASS is accessed. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects instances of LSASS running under any non-privileged user context, which can indicate abuse. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects processes that seem to be rundll32.exe along with a command line containing the term MiniDump. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects suspicious failed logins with different user accounts from a single source system

Read More

Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.

Read More

Search for accessing of fake files with stored credentials

Read More

Detects attempts to create vulnerable Kerberos Ticket Granting Service (TGS) tickets using the RC4-HMAC encryption type.

Read More

Detects successful logon from public IP address via RDP, SMB, etc. This can indicate a publicly-exposed RDP or SMB port.

Read More

Detection of well-known mimikatz command line arguments. Added more commandline indicators from referenced rule by author - Teymur Kheirkhabarov, oscd.community

Read More

Detects use of the ntdsutil utility to pull ntds.dit (Active Directory database).

Read More

Detects potential lsass.exe abuse based on unusual and suspicious parent-child relationships. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects obviously suspicious cross-process events targetting lsass.exe. Inspired by the 2022 Red Canary Threat Detection report.

Read More