Detects well-known credential dumping tools execution via service execution events
Detection well-known mimikatz command line arguments
Detects the usage of "reg.exe" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY
Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.
Detects usage of cmdkey to look for cached credentials on the system
Detection of well-known mimikatz command line arguments. Added more commandline indicators from referenced rule by author - Teymur Kheirkhabarov, oscd.community
Files with well-known filenames (parts of credential dump software or files produced by them) creation
Detects well-known credential dumping tools execution via specific named pipes