Detection of well-known mimikatz command line arguments. Added more commandline indicators from referenced rule by author - Teymur Kheirkhabarov, oscd.community

Read More

Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.

Read More

Detects well-known credential dumping tools execution via service execution events

Read More

Detects well-known credential dumping tools execution via service execution events

Read More

Detection well-known mimikatz command line arguments

Read More

Detects Mimikatz DC sync security events

Read More

This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)

Read More

The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.

Read More

This detection analytic identifies Impacket’s secretsdump.py script on a target host, which is the most common script we have observed in customer environments. secretsdump.py is remotely run on an adversary’s machine to steal credentials. The command is commonly executed by svchost.exe, where regsvc.dll is loaded which allows the export of credentials from the registry. The output is redirected to an eight-character TMP file within the System32 directory. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects attempts to retrieve/dump credentials using the DL_DRSGetNCChanges() method.

Read More