Detects well-known credential dumping tools execution via service execution events

Detection well-known mimikatz command line arguments

Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.

Detects well-known credential dumping tools execution via service execution events

Detects well-known credential dumping tools execution via service execution events

Detects Mimikatz DC sync security events

This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)

The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.

Detection of well-known mimikatz command line arguments. Added more commandline indicators from referenced rule by author - Teymur Kheirkhabarov, oscd.community