Sigma Rules
382 rules found for "credential-access"
Critical Hive In Suspicious Location Access Bits Cleared
Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
Volume Shadow Copy Mount
Detects volume shadow copy mount via Windows event log
Crash Dump Created By Operating System
Detects "BugCheck" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.
Credential Dumping Tools Service Execution - System
Detects well-known credential dumping tools execution via service execution events
LSASS Access Detected via Attack Surface Reduction
Detects Access to LSASS Process
Mimikatz Use
This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
Remote Thread Created In KeePass.EXE
Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity
Remote Thread Creation In Mstsc.Exe From Suspicious Location
Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
Potential Credential Dumping Attempt Via PowerShell Remote Thread
Detects remote thread creation by PowerShell processes into "lsass.exe"
Password Dumper Remote Thread in LSASS
Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
Notepad++ Updater DNS Query to Uncommon Domains
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure. This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
DNS Query Request To OneLaunch Update Service
Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain.
WinDivert Driver Load
Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
Credential Manager Access By Uncommon Applications
Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
Access To Windows Credential History File By Uncommon Applications
Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function
Access To Crypto Currency Wallets By Uncommon Applications
Detects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing.
Access To Windows DPAPI Master Keys By Uncommon Applications
Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
Access To Potentially Sensitive Sysvol Files By Uncommon Applications
Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.
Suspicious File Access to Browser Credential Storage
Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts. Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies. This behavior is often commonly observed in credential stealing malware.
Microsoft Teams Sensitive File Access By Uncommon Applications
Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.
Cred Dump Tools Dropped Files
Files with well-known filenames (parts of credential dump software or files produced by them) creation
Uncommon File Created by Notepad++ Updater Gup.EXE
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations. This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
HackTool - CrackMapExec File Indicators
Detects file creation events with filename patterns used by CrackMapExec.
HackTool - Dumpert Process Dumper Default File
Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
HackTool - Typical HiveNightmare SAM File Export
Detects files written by the different tools that exploit HiveNightmare
HackTool - Mimikatz Kirbi File Creation
Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
HackTool - NPPSpy Hacktool Usage
Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file
HackTool - QuarksPwDump Dump File
Detects a dump file written by QuarksPwDump password dumper
HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
HackTool - SafetyKatz Dump Indicator
Detects default lsass dump filename generated by SafetyKatz.
HackTool - Impacket File Indicators
Detects file creation events with filename patterns used by Impacket.
LSASS Process Memory Dump Files
Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
LSASS Process Dump Artefact In CrashDumps Folder
Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
WerFault LSASS Process Memory Dump
Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
NTDS.DIT Created
Detects creation of a file named "ntds.dit" (Active Directory Database)
NTDS.DIT Creation By Uncommon Parent Process
Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory
NTDS.DIT Creation By Uncommon Process
Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
NTDS Exfiltration Filename Patterns
Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
Potential SAM Database Dump
Detects the creation of files that look like exports of the local SAM (Security Account Manager)
DPAPI Backup Keys And Certificate Export Activity IOC
Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
LSASS Process Memory Dump Creation Via Taskmgr.EXE
Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
Suspicious Renamed Comsvcs DLL Loaded By Rundll32
Detects rundll32 loading a renamed comsvcs.dll to dump process memory
CredUI.DLL Loaded By Uncommon Process
Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
Time Travel Debugging Utility Usage - Image
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
Unsigned Image Loaded Into LSASS Process
Loading unsigned image (DLL, EXE) into LSASS process
Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories. These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.