Sigma Rules
388 rules found for "credential-access"
Diskshadow Script Mode Execution
Detects execution of "Diskshadow.exe" in script mode using the "/s" flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location.
Potential Password Reconnaissance Via Findstr.EXE
Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages
EventLog Query Requests By Builtin Utilities
Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.
Cleartext Protocol Usage Via Netflow
Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.