Sigma Rules
382 rules found for "credential-access"
LSASS Process Crashed - Application
Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service). This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
Ntdsutil Abuse
Detects potential abuse of ntdsutil to dump ntds.dit database
Audit CVE Event
Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
MSSQL Server Failed Logon
Detects failed logon attempts from clients to MSSQL server.
MSSQL Server Failed Logon From External Network
Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.
Certificate Private Key Acquired
Detects when an application acquires a certificate private key
Certificate Exported From Local Certificate Store
Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.
Standard User In High Privileged Group
Detect standard users login that are part of high privileged groups such as the Administrator group
NTLM Brute Force
Detects common NTLM brute force device names
External Remote RDP Logon from Public IP
Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
External Remote SMB Logon from Public IP
Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
Potential Privilege Escalation via Local Kerberos Relay over LDAP
Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
RottenPotato Like Attack Pattern
Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
ADCS Certificate Template Configuration Vulnerability
Detects certificate creation with template allowing risk permission subject
ADCS Certificate Template Configuration Vulnerability with Risky EKU
Detects certificate creation with template allowing risk permission subject and risky EKU
Active Directory Replication from Non Machine Account
Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
Mimikatz DC Sync
Detects Mimikatz DC sync security events
DPAPI Domain Backup Key Extraction
Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
DPAPI Domain Master Key Backup Attempt
Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
Possible Impacket SecretDump Remote Activity
Detect AD credential dumping using impacket secretdump HKTL
Kerberoasting Activity - Initial Query
This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.
Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,. where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073. Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.
LSASS Access From Non System Account
Detects potential mimikatz-like tools accessing LSASS from non system account
Credential Dumping Tools Service Execution - Security
Detects well-known credential dumping tools execution via service execution events
WCE wceaux.dll Access
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
Windows Pcap Drivers
Detects Windows Pcap driver installation based on a list of associated .sys files.
Possible PetitPotam Coerce Authentication Attempt
Detect PetitPotam coerced authentication activity.
PetitPotam Suspicious Kerberos TGT Request
Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.
Possible DC Shadow Attack
Detects DCShadow via create new SPN
Register new Logon Process by Rubeus
Detects potential use of Rubeus via registered new trusted logon process
Replay Attack Detected
Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client
SAM Registry Hive Handle Request
Detects handles requested to SAM registry hive
File Access Of Signal Desktop Sensitive Data
Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json. The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data. Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials. Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.
Kerberos Manipulation
Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
Password Dumper Activity on LSASS
Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
Potentially Suspicious AccessMask Requested From LSASS
Detects process handle on LSASS process with certain access mask
Uncommon Outbound Kerberos Connection - Security
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
Possible Shadow Credentials Added
Detects possible addition of shadow credentials to an active directory object.
Suspicious Kerberos RC4 Ticket Encryption
Detects service ticket requests using RC4 encryption type
Suspicious Teams Application Related ObjectAcess Event
Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
Transferring Files with Credential Data via Network Shares
Transferring files with well-known filenames (sensitive files with credential data) using network shares
User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
VSSAudit Security Event Source Registration
Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.
Suspicious Rejected SMB Guest Logon From IP
Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service
Active Directory Certificate Services Denied Certificate Enrollment Request
Detects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures.
Local Privilege Escalation Indicator TabTip
Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
ISATAP Router Address Was Set
Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6. In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic. This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
No Suitable Encryption Key Found For Generating Kerberos Ticket
Detects errors when a target server doesn't have suitable keys for generating kerberos tickets. This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.