Detects well-known credential dumping tools execution via service execution events

Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.

Detection well-known mimikatz command line arguments

Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers

Detects the usage of "reg.exe" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY

Detects well-known credential dumping tools execution via service execution events

Detects well-known credential dumping tools execution via service execution events

This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)

Detection of well-known mimikatz command line arguments. Added more commandline indicators from referenced rule by author - Teymur Kheirkhabarov, oscd.community

Files with well-known filenames (parts of credential dump software or files produced by them) creation

Detects well-known credential dumping tools execution via specific named pipes

Detect AD credential dumping using impacket secretdump HKTL

Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml