attack.credential_access

Process Access via TrolleyExpress Exclusion
level
status experimental

Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory

LSASS Memory Access by Tool Named Dump
level
status experimental

Detects a possible process memory dump based on a keyword in the file name of the accessing process

LSASS Access from White-Listed Processes
level
status experimental

Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference

Create Volume Shadow Copy with Powershell
level
status experimental

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information

Suspicious Process Writes Ntds.dit
level
status experimental

Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file

Request A Single Ticket via PowerShell
level
status experimental

utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.

Suspicious Connection to Remote Account
level
status experimental

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism

Powershell Install a DLL in System32
level
status experimental

Uses PowerShell to install a DLL in System32

Password Cracking with Hashcat
level
status experimental

Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against

Findstr GPP Passwords
level
status experimental

Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.

Suspicious Reg Add Open Command
level
status experimental

Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key

Mimikatz MemSSP Default Log File Creation
level
status experimental

Detects Mimikatz MemSSP default log file creation

Enumerate Credentials from Windows Credential Manager With PowerShell
level
status experimental

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.

Dump Credentials from Windows Credential Manager With PowerShell
level
status experimental

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.

Accessing Encrypted Credentials from Google Chrome Login Database
level
status deprecated

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.

Suspicious Unattend.xml File Access
level
status experimental

Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process

Extracting Information with PowerShell
level
status experimental

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

Exploit SamAccountName Spoofing with Kerberos
level
status experimental

The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.

NPPSpy Hacktool Usage
level
status experimental

Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file

LSASS Access from Program in Suspicious Folder
level
status experimental

Detects process access to LSASS memory with suspicious access flags and from a suspicious folder

Suspicious LSASS Process Clone
level
status experimental

Detects a suspicious LSASS process process clone that could be a sign of process dumping activity

Suspicious Dump64.exe Execution
level
status experimental

Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder

Azure Kubernetes Admission Controller
level
status experimental

Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Google Cloud Kubernetes Admission Controller
level
status experimental

Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

ADCS Certificate Template Configuration Vulnerability
level
status experimental

Detects certificate creation with template allowing risk permission subject

ADCS Certificate Template Configuration Vulnerability with Risky EKU
level
status experimental

Detects certificate creation with template allowing risk permission subject and risky EKU

User Access Blocked by Azure Conditional Access
level
status experimental

Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.

Change to Authentication Method
level
status experimental

Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access.

Account Lockout
level
status experimental

Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.

Process Dump via RdrLeakDiag.exe
level
status experimental

Detects a process memory dump performed by RdrLeakDiag.exe

Azure Keyvault Secrets Modified or Deleted
level
status experimental

Identifies when secrets are modified or deleted in Azure.

Azure Keyvault Key Modified or Deleted
level
status experimental

Identifies when a Keyvault Key is modified or deleted in Azure.

Azure Key Vault Modified or Deleted.
level
status experimental

Identifies when a key vault is modified or deleted.

ADCSPwn Hack Tool
level
status test

Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service

PowerShell SAM Copy
level
status experimental

Detects suspicious PowerShell scripts accessing SAM hives

Automated Collection Command Prompt
level
status experimental

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

AWS Route 53 Domain Transfer Lock Disabled
level
status experimental

Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.

AWS Route 53 Domain Transferred to Another Account
level
status experimental

Detects when a request has been made to transfer a Route 53 domain to another AWS account.

Discover Private Keys
level
status experimental

Adversaries may search for private key certificate files on compromised systems for insecurely stored credential

CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
level
status experimental

Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum

CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
level
status experimental

Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum

Suspicious Serv-U Process Pattern
level
status experimental

Detects a suspicious process pattern which could be a sign of an exploited Serv-U service

Windows Pcap Drivers
level
status test

Detects Windows Pcap driver installation based on a list of associated .sys files.

Harvesting of Wifi Credentials Using netsh.exe
level
status test

Detect the harvesting of wifi credentials using netsh.exe

Process Dump via Rundll32 and Comsvcs.dll
level
status experimental

Detects a process memory dump performed via ordinal function 24 in comsvcs.dll

Kerberos Network Traffic RC4 Ticket Encryption
level
status test

Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting

Audit CVE Event
level
status experimental

Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)

Windows Credential Editor Registry
level
status test

Detects the use of Windows Credential Editor (WCE)

SecurityXploded Tool
level
status experimental

Detects the execution of SecurityXploded Tools

RottenPotato Like Attack Pattern
level
status experimental

Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like

Cisco Sniffing
level
status test

Show when a monitor or a span/rspan is setup or modified

Cisco Show Commands Input
level
status test

See what commands are being input into the device by other people, full credentials can be in the history

Cisco Crypto Commands
level
status test

Show when private keys are being exported from the device, or when new certificates are installed

Cisco Collect Data
level
status test

Collect pertinent data from the configuration files

SAM Registry Hive Handle Request
level
status test

Detects handles requested to SAM registry hive

LSASS Access from Non System Account
level
status experimental

Detects potential mimikatz-like tools accessing LSASS from non system account

DPAPI Domain Master Key Backup Attempt
level
status test

Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.

DPAPI Domain Backup Key Extraction
level
status test

Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers

Network Sniffing
level
status test

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Suspicious Outbound Kerberos Connection
level
status test

Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

Possible DC Shadow
level
status experimental

Detects DCShadow via create new SPN

LSASS Memory Dumping
level
status test

Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.

Capture a Network Trace with netsh.exe
level
status test

Detects capture a network trace via netsh.exe trace functionality

Brute Force
level
status test

Detects many authentication failures from one source to one destination which is may indicate Brute Force activity

Mimikatz through Windows Remote Management
level
status stable

Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.

Judgement Panda Credential Access Activity
level
status test

Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike

iOS Implant URL Pattern
level
status test

Detects URL pattern used by iOS Implant

Suspicious Use of Procdump on LSASS
level
status stable

Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we’re also able to catch cases in which the attacker has renamed the procdump executable.

Suspicious SYSVOL Domain Group Policy Access
level
status test

Detects Access to Domain Group Policies stored in SYSVOL

Rubeus Hack Tool
level
status stable

Detects command line parameters used by Rubeus hack tool

NotPetya Ransomware Activity
level
status test

Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil

Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
level
status test

Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)

Cmdkey Cached Credentials Recon
level
status experimental

Detects usage of cmdkey to look for cached credentials

Activity Related to NTDS.dit Domain Hash Retrieval
level
status deprecated

Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely

Detection of SafetyKatz
level
status test

Detects possible SafetyKatz Behaviour

QuarksPwDump Dump File
level
status test

Detects a dump file written by QuarksPwDump password dumper

WCE wceaux.dll Access
level
status test

Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host

SAM Dump to AppData
level
status test

Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers

Credentials Dumping Tools Accessing LSASS Memory
level
status experimental

Detects process access LSASS memory which is typical for credentials dumping tools

Password Dumper Remote Thread in LSASS
level
status stable

Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.

Password Dumper Activity on LSASS
level
status experimental

Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN

Kerberos Manipulation
level
status test

This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages

Mimikatz Use
level
status experimental

This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)

Failed Logins with Different Accounts from Single Source System
level
status test

Detects suspicious failed logins with different user accounts from a single source system

VSSAudit Security Event Source Registration
level
status experimental

Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.

Unsigned Image Loaded Into LSASS Process
level
status test

Loading unsigned image (DLL, EXE) into LSASS process

Transferring Files with Credential Data via Network Shares - Zeek
level
status test

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Transferring Files with Credential Data via Network Shares
level
status test

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Time Travel Debugging Utility Usage
level
status experimental

Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.

Suspicious Rejected SMB Guest Logon From IP
level
status experimental

Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service

Suspicious PFX File Creation
level
status test

A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.

Suspicious Kerberos RC4 Ticket Encryption
level
status experimental

Detects service ticket requests using RC4 encryption type

Suspicious History File Operations
level
status test

Detects commandline operations on shell history files

Suspicious History File Operations
level
status test

Detects commandline operations on shell history files

Suspicious Get-ADReplAccount
level
status experimental

The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.

Suspicious Export-PfxCertificate
level
status experimental

Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines

SilentProcessExit Monitor Registrytion for LSASS
level
status experimental

Detects changes to the Registry in which a monitor program gets registered to dump process memory of the lsass.exe process memory

Shadow Copies Creation Using Operating Systems Utilities
level
status test

Shadow Copies creation using operating systems utilities, possible credential access

Shadow Copies Access via Symlink
level
status test

Shadow Copies storage symbolic link creation using operating systems utilities

Remote Registry Management Using Reg Utility
level
status test

Remote registry management using REG utility from non-admin workstation

Registry Parse with Pypykatz
level
status experimental

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored

Registry Dump of SAM Creds and Secrets
level
status experimental

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored

QuarksPwDump Clearing Access History
level
status test

Detects QuarksPwDump clearing access history in hive

Process Dump via Comsvcs DLL
level
status test

Detects process memory dump via comsvcs.dll and rundll32

PowerShell Get-Process LSASS in ScriptBlock
level
status experimental

Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity

PowerShell Get-Process LSASS
level
status experimental

Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity

PowerShell Credential Prompt
level
status experimental

Detects PowerShell calling a credential prompt

Possible SPN Enumeration
level
status test

Detects Service Principal Name Enumeration used for Kerberoasting

Possible Impacket SecretDump Remote Activity - Zeek
level
status test

Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml

Possible Impacket SecretDump Remote Activity
level
status experimental

Detect AD credential dumping using impacket secretdump HKTL

PetitPotam Suspicious Kerberos TGT Request
level
status experimental

Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.

NTLM Brute Force
level
status experimental

Detects common NTLM brute force device names

Network Sniffing
level
status test

Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Mimikatz Kirbi File Creation
level
status test

Detects the creation of files that contain Kerberos tickets based on an extension used by the popular tool Mimikatz

Mimikatz Detection LSASS Access
level
status deprecated

Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION “only old versions”, 0x0010 PROCESS_VM_READ)

Mimikatz DC Sync
level
status experimental

Detects Mimikatz DC sync security events

Mimikatz Command Line
level
status test

Detection well-known mimikatz command line arguments

Lsass Memory Dump via Comsvcs DLL
level
status experimental

Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.

LSASS Memory Dump File Creation
level
status experimental

LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified

LSASS Memory Dump
level
status experimental

Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.

Hydra Password Guessing Hack Tool
level
status test

Detects command line parameters used by Hydra password guessing hack tool

Hack Tool User Agent
level
status test

Detects suspicious user agent strings user by hack tools in proxy logs

GUI Input Capture - macOS
level
status experimental

Detects attempts to use system dialog prompts to capture user credentials

Guacamole Two Users Sharing Session Anomaly
level
status test

Detects suspicious session with two users present

Grabbing Sensitive Hives via Reg Utility
level
status test

Dump sam, system or security hives using REG.exe utility

Google Cloud Kubernetes RoleBinding
level
status experimental

Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.

Generic Password Dumper Activity on LSASS
level
status experimental

Detects process handle on LSASS process with certain access mask

GALLIUM Artefacts
level
status experimental

Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.

Esentutl Volume Shadow Copy Service Keys
level
status experimental

Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\Volume are captured.

Esentutl Gather Credentials
level
status experimental

Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.

Dumping Process via Sqldumper.exe
level
status test

Detects process dump via legitimate sqldumper.exe binary

Dumpert Process Dumper
level
status experimental

Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory

Dropping Of Password Filter DLL
level
status experimental

Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS

DIT Snapshot Viewer Use
level
status test

Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.

Credentials In Files
level
status test

Detecting attempts to extract passwords with grep and laZagne

Credentials In Files
level
status test

Detecting attempts to extract passwords with grep

Credential Dumping Tools Service Execution
level
status experimental

Detects well-known credential dumping tools execution via service execution events

Credential Dumping by Pypykatz
level
status experimental

Detects LSASS process access by pypykatz for credential dumping.

Credential Dumping by LaZagne
level
status stable

Detects LSASS process access by LaZagne for credential dumping.

Cred Dump-Tools Named Pipes
level
status test

Detects well-known credential dumping tools execution via specific named pipes

CrackMapExecWin
level
status test

Detects CrackMapExecWin Activity as Described by NCSC

Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
level
status experimental

Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.

Azure Kubernetes Network Policy Change
level
status experimental

Identifies when a Azure Kubernetes network policy is modified or deleted.

Antivirus Password Dumper Detection
level
status test

Detects a highly relevant Antivirus alert that reports a password dumper

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.