Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.
Detects usage of cmdkey to look for cached credentials on the system
Detects the use of cmdkey to add, remove, or list credentials.
Files with well-known filenames (parts of credential dump software or files produced by them) creation
Detection well-known mimikatz command line arguments
Detects well-known credential dumping tools execution via service execution events
Detects well-known credential dumping tools execution via specific named pipe creation
Detects the usage of "reg.exe" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY
Detection of well-known mimikatz command line arguments. Added more commandline indicators from referenced rule by author - Teymur Kheirkhabarov, oscd.community