Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Read More

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

Read More

Detects when the file "passwd" or "shadow" is copied from tmp path

Read More

Detects when a user disables a critical security feature for an organization.

Read More

Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same

Read More

Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool

Read More

Detects the use of KrbRelay, a Kerberos relaying tool

Read More

Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced

Read More

Detects the execution of the hacktool SafetyKatz via PE information and default Image name

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing.

Read More

Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.

Read More

Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords

Read More

Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system

Read More

Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.

Read More

Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it

Read More

Detects usage of cmdkey to look for cached credentials on the system

Read More

Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.

Read More

Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.

Read More

Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed

Read More

Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed

Read More

Detects execution of different log query utilities to search and dump the content of specific event logs or look for specific event IDs.

Read More

Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.

Read More

Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID

Read More

Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This is seen being used in combination with "icacls" to look for misconfigured files or folders permissions

Read More

Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil

Read More

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Read More

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Read More

Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks

Read More

Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.

Read More

Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control

Read More

Detects PowerShell scripts that contains reference to keystroke capturing functions

Read More

Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.

Read More

Detects the creation of files that look like exports of the local SAM (Security Account Manager)

Read More

Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy

Read More

Detects the use of cmdkey to add, remove, or list credentials.

Read More

Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage

Read More

Alert on when legacy authentication has been used on an account

Read More

Detects new user account creation

Read More

Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach. This rule can be enhanced by filtering out known and legitimate username used in your environnement.

Read More

Detects access to Okta admin functions through proxy.

Read More

Detects when a user has potentially entered their password into the username field, which will cause the password to be retained in log files.

Read More

Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum

Read More

Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.

Read More

Detects service principal name (SPN) enumeration used for Kerberoasting

Read More

Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.

Read More

Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.

Read More

Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.

Read More

Detects a highly relevant Antivirus alert that reports a password dumper

Read More

Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.

Read More

Files with well-known filenames (parts of credential dump software or files produced by them) creation

Read More

Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".

Read More

Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services

Read More

Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.

Read More

Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.

Read More

Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.

Read More

Detection well-known mimikatz command line arguments

Read More

Detects the execution of the hacktool Rubeus via PE information of command line parameters

Read More

Detects the use of Windows Credential Editor (WCE)

Read More

Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.

Read More

Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.

Read More

Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.

Read More

Detects possible addition of shadow credentials to an active directory object.

Read More

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.

Read More

Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it

Read More

Adversaries may search for private key certificate files on compromised systems for insecurely stored credential

Read More

Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)

Read More

Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like

Read More

Shadow Copies creation using operating systems utilities, possible credential access

Read More

Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

Read More

Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)

Read More

Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.

Read More

Detects files written by the different tools that exploit HiveNightmare

Read More

Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.

Read More

Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD

Read More

Detects when a configuration change is made to an applications AppID URI.

Read More

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

Read More

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Read More

Detect when users are authenticating without MFA being required.

Read More

Identifies when a key vault is modified or deleted.

Read More

Identifies when a Keyvault Key is modified or deleted in Azure.

Read More

Identifies when secrets are modified or deleted in Azure.

Read More

Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Read More

Identifies when a Azure Kubernetes network policy is modified or deleted.

Read More

Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.

Read More

Detects suspicious file creation patterns found in logs when CrackMapExec is used

Read More

Detects well-known credential dumping tools execution via service execution events

Read More

Detects when highly privileged delegated permissions are granted on behalf of all users

Read More

Detects when an end user consents to an application

Read More

Detects when end user consent is blocked due to risk-based consent.

Read More

Detects processes that query known 3rd party registry keys that holds credentials via commandline

Read More

Detect failed authentications from countries you do not operate out of.

Read More

Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Read More

Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like

Read More

Detects events with patterns found in commands used for reconnaissance on linux systems

Read More

Detects Access to LSASS Process

Read More

Detects potential mimikatz-like tools accessing LSASS from non system account

Read More

Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.

Read More

Detects Mimikatz DC sync security events

Read More

Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.

Read More

Detects potential abuse of ntdsutil to dump ntds.dit database

Read More

Detect when a user has reset their password in Azure AD

Read More

Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.

Read More

Detects DCShadow via create new SPN

Read More

Detect AD credential dumping using impacket secretdump HKTL

Read More

Detect PetitPotam coerced authentication activity.

Read More

Detects PowerShell processes requesting access to "lsass.exe"

Read More

Detects remote thread creation by PowerShell processes into "lsass.exe"

Read More

Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process

Read More

Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass

Read More

Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential

Read More

Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.

Read More

Uses PowerShell to install/copy a a file into a system directory such as "System32" or "SysWOW64"

Read More

Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory

Read More

Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)

Read More

Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client

Read More

Define a baseline threshold for failed sign-ins due to Conditional Access failures

Read More

Detect successful authentications from countries you do not operate out of.

Read More

Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.

Read More

Detects service ticket requests using RC4 encryption type

Read More

Detects suspicious access to Lsass handle via a call trace to "seclogon.dll"

Read More

Detects possible search for office tokens via CLI by looking for the string "eyJ0eX". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.

Read More

Detects a suspicious process pattern which could be a sign of an exploited Serv-U service

Read More

Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.

Read More

Detects logon with "Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges.

Read More

Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.

Read More

Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials

Read More

List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe

Read More

Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.

Read More

Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.

Read More

Detects when a request has been made to transfer a Route 53 domain to another AWS account.

Read More

Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.

Read More

Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.

Read More

Identifies when the Secrets are Modified or Deleted.

Read More

User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.

Read More

Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.

Read More

Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.

Read More

Detects process handle on LSASS process with certain access mask

Read More

Detects failed logon attempts from clients to MSSQL server.

Read More

Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share

Read More

Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.

Read More

Loading unsigned image (DLL, EXE) into LSASS process

Read More

Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function

Read More

Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function

Read More

Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function

Read More

Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.

Read More

Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft

Read More

Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity

Read More

Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.

Read More

Indicates that a password spray attack has been successfully performed.

Read More

Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns

Read More

Detects attempts to retrieve/dump credentials using the DL_DRSGetNCChanges() method.

Read More

Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Read More

This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.

Read More

Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum

Read More

Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.

Read More

Detects well-known credential dumping tools execution via service execution events

Read More

Detects well-known credential dumping tools execution via service execution events

Read More

Detects well-known credential dumping tools execution via specific named pipe creation

Read More

Detects creation of default named pipes used by the Koh tool

Read More

Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.

Read More

Detects execution of PktMon, a tool that captures network packets.

Read More

Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools

Read More

Detects the execution of the hacktool Rubeus using specific command line flags

Read More

Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder

Read More

Detects process access to LSASS memory with suspicious access flags

Read More

Detects volume shadow copy mount via Windows event log

Read More

Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report

Read More

Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.

Read More

The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.

Read More

Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike

Read More

Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.

Read More

Detects when an application acquires a certificate private key

Read More

Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Read More

Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory

Read More

Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable.

Read More

Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers

Read More

Detects potential LSASS abuse based on unusual parent-child process lineage patterns. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects suspicious cross-process events where LSASS is accessed. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects instances of LSASS running under any non-privileged user context, which can indicate abuse. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects processes that seem to be rundll32.exe along with a command line containing the term MiniDump. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory

Read More

Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials.

Read More

Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.

Read More

Detects creation of a file named "ntds.dit" (Active Directory Database)

Read More

Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory

Read More

Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity

Read More

Detect standard users login that are part of high privileged groups such as the Administrator group

Read More

Detecting attempts to extract passwords with grep

Read More

Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers

Read More

Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.

Read More

Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory

Read More

Detects suspicious failed logins with different user accounts from a single source system

Read More

Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.

Read More

Search for accessing of fake files with stored credentials

Read More

Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.

Read More

Detects attempts to create vulnerable Kerberos Ticket Granting Service (TGS) tickets using the RC4-HMAC encryption type.

Read More

The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.

Read More

Detects QuarksPwDump clearing access history in hive

Read More

Detects Windows Pcap driver installation based on a list of associated .sys files.

Read More

Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service

Read More

Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder

Read More

Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.

Read More

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory.

Read More

Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.

Read More

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database.

Read More

Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.

Read More

Shadow Copies storage symbolic link creation using operating systems utilities

Read More

Files with well-known filenames (sensitive files with credential data) copying

Read More

Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS

Read More