attack.t1003.004

Mimikatz Command Line With Ticket Export

Mar 18, 2025 · attack.credential-access attack.t1003 attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 attack.t1003.006 ·

Share on:

Detection of well-known mimikatz command line arguments. Added more commandline indicators from referenced rule by author - Teymur Kheirkhabarov, oscd.community

Cred Dump Tools Dropped Files

Aug 12, 2024 · attack.credential-access attack.t1003.001 attack.t1003.002 attack.t1003.003 attack.t1003.004 attack.t1003.005 ·

Share on:

Files with well-known filenames (parts of credential dump software or files produced by them) creation

Credential Dumping Tools Service Execution - Security

Aug 12, 2024 · attack.credential-access attack.execution attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 attack.t1003.006 attack.t1569.002 attack.s0005 ·

Share on:

Detects well-known credential dumping tools execution via service execution events

Credential Dumping Tools Service Execution - System

Aug 12, 2024 · attack.credential-access attack.execution attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 attack.t1003.006 attack.t1569.002 attack.s0005 ·

Share on:

Detects well-known credential dumping tools execution via service execution events

DPAPI Domain Backup Key Extraction

Aug 12, 2024 · attack.credential-access attack.t1003.004 ·

Share on:

Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers

DPAPI Domain Master Key Backup Attempt

Aug 12, 2024 · attack.credential-access attack.t1003.004 ·

Share on:

Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.

Dumping of Sensitive Hives Via Reg.EXE

Aug 12, 2024 · attack.credential-access attack.t1003.002 attack.t1003.004 attack.t1003.005 car.2013-07-001 ·

Share on:

Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.

HackTool - Credential Dumping Tools Named Pipe Created

Aug 12, 2024 · attack.credential-access attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 ·

Share on:

Detects well-known credential dumping tools execution via specific named pipe creation

HackTool - Mimikatz Execution

Aug 12, 2024 · attack.credential-access attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 attack.t1003.006 ·

Share on:

Detection well-known mimikatz command line arguments

Mimikatz Use

Aug 12, 2024 · attack.s0002 attack.lateral-movement attack.credential-access car.2013-07-001 car.2019-04-004 attack.t1003.002 attack.t1003.004 attack.t1003.001 attack.t1003.006 ·

Share on:

This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)

Possible Impacket SecretDump Remote Activity

Aug 12, 2024 · attack.credential-access attack.t1003.002 attack.t1003.004 attack.t1003.003 ·

Share on:

Detect AD credential dumping using impacket secretdump HKTL

Possible Impacket SecretDump Remote Activity - Zeek

Aug 12, 2024 · attack.credential-access attack.t1003.002 attack.t1003.004 attack.t1003.003 ·

Share on:

Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml