Sigma Rules
382 rules found for "credential-access"
Diskshadow Script Mode - Uncommon Script Extension Execution
Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required.
Diskshadow Script Mode - Execution From Potential Suspicious Location
Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.
Potential Windows Defender AV Bypass Via Dump64.EXE Rename
Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
DumpMinitool Execution
Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"
Suspicious DumpMinitool Execution
Detects suspicious ways to use the "DumpMinitool.exe" binary
Esentutl Gather Credentials
Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
Copying Sensitive Files with Credential Data
Files with well-known filenames (sensitive files with credential data) copying
Remote File Download Via Findstr.EXE
Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
Findstr GPP Passwords
Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
LSASS Process Reconnaissance Via Findstr.EXE
Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
Permission Misconfiguration Reconnaissance Via Findstr.EXE
Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.
Insensitive Subfolder Search Via Findstr.EXE
Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
Suspicious Child Process of Notepad++ Updater - GUP.Exe
Detects suspicious child process creation by the Notepad++ updater process (gup.exe). This could indicate potential exploitation of the updater component to deliver unwanted malware.
HackTool - ADCSPwn Execution
Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
HackTool - Certify Execution
Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.
HackTool - Certipy Execution
Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.
HackTool - CrackMapExec Execution
This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
HackTool - CrackMapExec Process Patterns
Detects suspicious process patterns found in logs when CrackMapExec is used
HackTool - CreateMiniDump Execution
Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
HackTool - Doppelanger LSASS Dumper Execution
Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
HackTool - Dumpert Process Dumper Execution
Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
Hacktool Execution - Imphash
Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
Hacktool Execution - PE Metadata
Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
HackTool - HandleKatz LSASS Dumper Execution
Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
HackTool - Hashcat Password Cracker Execution
Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
HackTool - Hydra Password Bruteforce Execution
Detects command line parameters used by Hydra password guessing hack tool
HackTool - Impacket Tools Execution
Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
HackTool - Inveigh Execution
Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
HackTool - KrbRelay Execution
Detects the use of KrbRelay, a Kerberos relaying tool
HackTool - KrbRelayUp Execution
Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced
HackTool - RemoteKrbRelay Execution
Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.
HackTool - LaZagne Execution
Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
HackTool - Mimikatz Execution
Detection well-known mimikatz command line arguments
HackTool - Pypykatz Credentials Dumping Activity
Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored
HackTool - Quarks PwDump Execution
Detects usage of the Quarks PwDump tool via commandline arguments
Potential SMB Relay Attack Tool Execution
Detects different hacktools used for relay attacks on Windows for privilege escalation
HackTool - Rubeus Execution
Detects the execution of the hacktool Rubeus via PE information of command line parameters
HackTool - SafetyKatz Execution
Detects the execution of the hacktool SafetyKatz via PE information and default Image name
HackTool - SecurityXploded Execution
Detects the execution of SecurityXploded Tools
HackTool - Windows Credential Editor (WCE) Execution
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory. It is often used by threat actors for credential dumping and lateral movement within compromised networks.
HackTool - WinPwn Execution
Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
HackTool - WSASS Execution
Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's (Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
HackTool - XORDump Execution
Detects suspicious use of XORDump process memory dumping utility
Microsoft IIS Service Account Password Dumped
Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
Microsoft IIS Connection Strings Decryption
Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
Attempts of Kerberos Coercion Via DNS SPN Spoofing
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073. If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records, or checking for the presence of such records through the `nslookup` command.
Dumping Process via Sqldumper.exe
Detects process dump via legitimate sqldumper.exe binary
Time Travel Debugging Utility Usage
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.