attack.t1003.005

New Generic Credentials Added Via Cmdkey.EXE

Dec 1, 2023 · attack.credential_access attack.t1003.005 ·

Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.

Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE

Dec 1, 2023 · attack.credential_access attack.t1003.005 ·

Share on:

Detects usage of cmdkey to look for cached credentials on the system

Adding, Listing and Removing Credentials via Cmdkey CommandLine Ultility

Oct 30, 2023 · attack.credential_access attack.t1003.005 ·

Share on:

Detects the use of cmdkey to add, remove, or list credentials.

Cred Dump Tools Dropped Files

Oct 18, 2023 · attack.credential_access attack.t1003.001 attack.t1003.002 attack.t1003.003 attack.t1003.004 attack.t1003.005 ·

Share on:

Files with well-known filenames (parts of credential dump software or files produced by them) creation

HackTool - Mimikatz Execution

Oct 18, 2023 · attack.credential_access attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 attack.t1003.006 ·

Share on:

Detection well-known mimikatz command line arguments

Credential Dumping Tools Service Execution - System

Oct 17, 2023 · attack.credential_access attack.execution attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 attack.t1003.006 attack.t1569.002 attack.s0005 ·

Share on:

Detects well-known credential dumping tools execution via service execution events

Credential Dumping Tools Service Execution

Aug 7, 2023 · attack.credential_access attack.execution attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 attack.t1003.006 attack.t1569.002 attack.s0005 ·

Share on:

Detects well-known credential dumping tools execution via service execution events

Credential Dumping Tools Service Execution - Security

Aug 7, 2023 · attack.credential_access attack.execution attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 attack.t1003.006 attack.t1569.002 attack.s0005 ·

Share on:

Detects well-known credential dumping tools execution via service execution events

HackTool - Credential Dumping Tools Named Pipe Created

Aug 7, 2023 · attack.credential_access attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 ·

Share on:

Detects well-known credential dumping tools execution via specific named pipe creation

Dumping of Sensitive Hives Via Reg.EXE

Feb 7, 2023 · attack.credential_access attack.t1003.002 attack.t1003.004 attack.t1003.005 car.2013-07-001 ·

Share on:

Detects the usage of "reg.exe" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY

Mimikatz Command Line With Ticket Export

Jan 8, 2023 · attack.credential_access attack.t1003 attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 attack.t1003.006 ·

Share on:

Detection of well-known mimikatz command line arguments. Added more commandline indicators from referenced rule by author - Teymur Kheirkhabarov, oscd.community