Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location

Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.

Detects the execution of the hacktool Rubeus using specific command line flags

Detects the execution of the hacktool Rubeus via PE information of command line parameters

Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing

Shadow Copies creation using operating systems utilities, possible credential access

Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.

Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it

Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity

Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.

Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key

Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function

Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it

Detects a highly relevant Antivirus alert that reports a password dumper

Detects usage of a PowerShell command to dump the live memory of a Windows machine

Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.

Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords

Detect attempt to enable auditing of TTY input

Detection of well-known mimikatz command line arguments. Added more commandline indicators from referenced rule by author - Teymur Kheirkhabarov, oscd.community

Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.

Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.

Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host

Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.