Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
Sponsored by
Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
Detects a possible process memory dump based on a keyword in the file name of the accessing process
Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file
utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
Uses PowerShell to install a DLL in System32
Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key
Detects Mimikatz MemSSP default log file creation
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file
Detects process access to LSASS memory with suspicious access flags and from a suspicious folder
Detects a suspicious LSASS process process clone that could be a sign of process dumping activity
Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder
Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
Detects certificate creation with template allowing risk permission subject
Detects certificate creation with template allowing risk permission subject and risky EKU
Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access.
Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
Detects a process memory dump performed by RdrLeakDiag.exe
Identifies when secrets are modified or deleted in Azure.
Identifies when a Keyvault Key is modified or deleted in Azure.
Identifies when a key vault is modified or deleted.
Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
Detects suspicious PowerShell scripts accessing SAM hives
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
Detects when a request has been made to transfer a Route 53 domain to another AWS account.
Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
Detects Windows Pcap driver installation based on a list of associated .sys files.
Detect the harvesting of wifi credentials using netsh.exe
Detects a process memory dump performed via ordinal function 24 in comsvcs.dll
Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)
Detects the use of Windows Credential Editor (WCE)
Detects the execution of SecurityXploded Tools
Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
Show when a monitor or a span/rspan is setup or modified
See what commands are being input into the device by other people, full credentials can be in the history
Show when private keys are being exported from the device, or when new certificates are installed
Collect pertinent data from the configuration files
Detects handles requested to SAM registry hive
Detects potential mimikatz-like tools accessing LSASS from non system account
Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
Detects DCShadow via create new SPN
Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
Detects capture a network trace via netsh.exe trace functionality
Detects many authentication failures from one source to one destination which is may indicate Brute Force activity
Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.
Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
Detects URL pattern used by iOS Implant
Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we’re also able to catch cases in which the attacker has renamed the procdump executable.
Detects Access to Domain Group Policies stored in SYSVOL
Detects command line parameters used by Rubeus hack tool
Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
Detects usage of cmdkey to look for cached credentials
Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
Detects Access to LSASS Process
Detects possible SafetyKatz Behaviour
Detects a dump file written by QuarksPwDump password dumper
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers
Detects process access LSASS memory which is typical for credentials dumping tools
Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages
This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
Detects suspicious failed logins with different user accounts from a single source system
Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.
Detects volume shadow copy mount
Loading unsigned image (DLL, EXE) into LSASS process
Transferring files with well-known filenames (sensitive files with credential data) using network shares
Transferring files with well-known filenames (sensitive files with credential data) using network shares
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service
A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.
Detects service ticket requests using RC4 encryption type
Detects commandline operations on shell history files
Detects commandline operations on shell history files
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines
Detects changes to the Registry in which a monitor program gets registered to dump process memory of the lsass.exe process memory
Shadow Copies creation using operating systems utilities, possible credential access
Shadow Copies storage symbolic link creation using operating systems utilities
Remote registry management using REG utility from non-admin workstation
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored
Detects QuarksPwDump clearing access history in hive
Detects process memory dump via comsvcs.dll and rundll32
Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
Detects PowerShell calling a credential prompt
Detects Service Principal Name Enumeration used for Kerberoasting
Detect PetitPotam coerced authentication activity.
Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml
Detect AD credential dumping using impacket secretdump HKTL
Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.
Detects common NTLM brute force device names
Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Detects the creation of files that contain Kerberos tickets based on an extension used by the popular tool Mimikatz
Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION “only old versions”, 0x0010 PROCESS_VM_READ)
Detects Mimikatz DC sync security events
Detection well-known mimikatz command line arguments
Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified
Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
Detects command line parameters used by Hydra password guessing hack tool
Detects suspicious user agent strings user by hack tools in proxy logs
Detects attempts to use system dialog prompts to capture user credentials
Detects suspicious session with two users present
Dump sam, system or security hives using REG.exe utility
Identifies when the Secrets are Modified or Deleted.
Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.
Detects process handle on LSASS process with certain access mask
Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\Volume are captured.
Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
Detects process dump via legitimate sqldumper.exe binary
Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.
Detecting attempts to extract passwords with grep and laZagne
Detecting attempts to extract passwords with grep
Detects passwords dumps from Keychain
Detects well-known credential dumping tools execution via service execution events
Detects LSASS process access by pypykatz for credential dumping.
Detects LSASS process access by LaZagne for credential dumping.
Detects well-known credential dumping tools execution via specific named pipes
Detects CrackMapExecWin Activity as Described by NCSC
Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
Identifies when a Azure Kubernetes network policy is modified or deleted.
Detects a highly relevant Antivirus alert that reports a password dumper
Detects Accessing to lsass.exe by Powershell