Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.

Detects when an application acquires a certificate private key

Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials

Detects process access to LSASS memory with suspicious access flags

Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)

Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory

Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable.

Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.

Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers

Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder

Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory

Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials.

Adversaries may search for private key certificate files on compromised systems for insecurely stored credential

Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.

Detects creation of a file named "ntds.dit" (Active Directory Database)

Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory

Detects remote thread creation by PowerShell processes into "lsass.exe"

Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity

Detect standard users login that are part of high privileged groups such as the Administrator group

Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.

Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.

Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like

Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like

Detecting attempts to extract passwords with grep

Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers

Detects the execution of the hacktool Rubeus using specific command line flags

Detects the execution of the hacktool Rubeus via PE information of command line parameters

Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.

Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory

Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.

The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Detects well-known credential dumping tools execution via service execution events

Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential

Detects QuarksPwDump clearing access history in hive

Detects volume shadow copy mount via windows event log

Detects Windows Pcap driver installation based on a list of associated .sys files.

Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service

Detects when a user has potentially entered their password into the username field, which will cause the password to be retained in log files.

Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)

Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing

Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder

Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.

Detects process handle on LSASS process with certain access mask

Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools

Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory.

Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database.