Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
Read MoreDumping of Sensitive Hives Via Reg.EXE
Detects the usage of "reg.exe" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY
Read MoreThis method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
Read MoreMimikatz Command Line With Ticket Export
Detection of well-known mimikatz command line arguments. Added more commandline indicators from referenced rule by author - Teymur Kheirkhabarov, oscd.community
Read MoreCred Dump Tools Dropped Files
Files with well-known filenames (parts of credential dump software or files produced by them) creation
Read MorePossible Impacket SecretDump Remote Activity - Zeek
Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml
Read More