Sigma Rules
382 rules found for "credential-access"
Uncommon Outbound Kerberos Connection
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
HackTool - Credential Dumping Tools Named Pipe Created
Detects well-known credential dumping tools execution via specific named pipe creation
HackTool - Koh Default Named Pipe
Detects creation of default named pipes used by the Koh tool
Suspicious Get-ADDBAccount Usage
Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
AADInternals PowerShell Cmdlets Execution - PsScript
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Access to Browser Login Data
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
Powershell Install a DLL in System Directory
Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"
Create Volume Shadow Copy with Powershell
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
Dump Credentials from Windows Credential Manager With PowerShell
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
Enumerate Credentials from Windows Credential Manager With PowerShell
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
Certificate Exported Via PowerShell - ScriptBlock
Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
Suspicious Get-ADReplAccount
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
HackTool - Rubeus Execution - ScriptBlock
Detects the execution of the hacktool Rubeus using specific command line flags
HackTool - WinPwn Execution - ScriptBlock
Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
Powershell Keylogging
Adversaries may log user keystrokes to intercept credentials as the user types them.
Live Memory Dump Using Powershell
Detects usage of a PowerShell command to dump the live memory of a Windows machine
Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session. Adversaries may attempt to capture network to gather information over the course of an operation. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
Potential Invoke-Mimikatz PowerShell Script
Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.
PowerShell Credential Prompt
Detects PowerShell calling a credential prompt
Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock
Detects PowerShell scripts that utilize native PowerShell Identity modules to request Kerberos tickets. This behavior is typically seen during a Kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.
Extracting Information with PowerShell
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
PowerShell Get-Process LSASS in ScriptBlock
Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
Potential Keylogger Activity
Detects PowerShell scripts that contains reference to keystroke capturing functions
Suspicious Connection to Remote Account
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
Veeam Backup Servers Credential Dumping Script Execution
Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials.
HackTool - Generic Process Access
Detects process access requests from hacktool processes based on their default image name
HackTool - HandleKatz Duplicating LSASS Handle
Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
Lsass Memory Dump via Comsvcs DLL
Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
LSASS Memory Access by Tool With Dump Keyword In Name
Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
Potential Credential Dumping Activity Via LSASS
Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
Credential Dumping Activity By Python Based Tool
Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
Remote LSASS Process Access Through Windows Remote Management
Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
Suspicious LSASS Access Via MalSecLogon
Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.
Potentially Suspicious GrantedAccess Flags On LSASS
Detects process access requests to LSASS process with potentially suspicious access flags
Credential Dumping Attempt Via WerFault
Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
LSASS Access From Potentially White-Listed Processes
Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace. These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll, dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.
Potential Adplus.EXE Abuse
Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
Potential Data Stealing Via Chromium Headless Debugging
Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
Browser Started with Remote Debugging
Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks
Process Access via TrolleyExpress Exclusion
Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
New Generic Credentials Added Via Cmdkey.EXE
Detects usage of "cmdkey.exe" to add generic credentials. As an example, this can be used before connecting to an RDP session via command line interface.
Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
Detects usage of cmdkey to look for cached credentials on the system
Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share
VolumeShadowCopy Symlink Creation Via Mklink
Shadow Copies storage symbolic link creation using operating systems utilities
CreateDump Process Dump
Detects uses of the createdump.exe LOLOBIN utility to dump process memory
Potentially Suspicious Child Process Of DiskShadow.EXE
Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.