Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords

Read More

Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it

Read More

Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed

Read More

Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed

Read More

Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.

Read More

Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.

Read More

Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage

Read More

Detects a highly relevant Antivirus alert that reports a password dumper

Read More

Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.

Read More

Detects the execution of the hacktool Rubeus via PE information of command line parameters

Read More

Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it

Read More

Shadow Copies creation using operating systems utilities, possible credential access

Read More

Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)

Read More

Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.

Read More

Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.

Read More

Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function

Read More

Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity

Read More

Detects attempts to retrieve/dump credentials using the DL_DRSGetNCChanges() method.

Read More

Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location

Read More

Detects the execution of the hacktool Rubeus using specific command line flags

Read More

Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.

Read More

Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.

Read More

Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key

Read More

Detects usage of a PowerShell command to dump the live memory of a Windows machine

Read More

Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.

Read More

Detect attempt to enable auditing of TTY input

Read More

Detection of well-known mimikatz command line arguments. Added more commandline indicators from referenced rule by author - Teymur Kheirkhabarov, oscd.community

Read More

Detects use of the ntdsutil utility to pull ntds.dit (Active Directory database).

Read More

Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host

Read More