Credential Access Detections

Name Data Source Technique Type Analytic Story Date
Detect Distributed Password Spray Attempts Azure Active Directory Sign-in activity Password Spraying Brute Force Hunting Active Directory Password Spraying, Compromised User Account 2024-10-17
Detect Password Spray Attempts Windows Event Log Security 4625 Password Spraying Brute Force TTP Active Directory Password Spraying, Compromised User Account 2024-10-17
Okta Authentication Failed During MFA Challenge Okta Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP Okta Account Takeover 2024-09-30
Okta MFA Exhaustion Hunt Okta Brute Force Hunting Okta Account Takeover, Okta MFA Exhaustion 2024-10-17
Okta Mismatch Between Source and Response for Verify Push Request Okta Multi-Factor Authentication Request Generation TTP Okta Account Takeover, Okta MFA Exhaustion 2024-11-19
Okta Multi-Factor Authentication Disabled Okta Modify Authentication Process Multi-Factor Authentication TTP Okta Account Takeover 2024-09-30
Okta Multiple Accounts Locked Out Okta Brute Force Anomaly Okta Account Takeover 2024-09-30
Okta Multiple Failed MFA Requests For User Okta Multi-Factor Authentication Request Generation Anomaly Okta Account Takeover 2024-09-30
Okta Multiple Users Failing To Authenticate From Ip Okta Password Spraying Anomaly Okta Account Takeover 2024-09-30
Okta Phishing Detection with FastPass Origin Check Okta Valid Accounts Default Accounts Modify Authentication Process TTP Okta Account Takeover 2024-10-17
Okta Risk Threshold Exceeded Okta Valid Accounts Brute Force Correlation Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity 2024-09-30
Okta Successful Single Factor Authentication Okta Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation Anomaly Okta Account Takeover 2024-09-30
Okta Suspicious Use of a Session Cookie Okta Steal Web Session Cookie Anomaly Okta Account Takeover, Suspicious Okta Activity 2024-09-30
PingID Mismatch Auth Source and Verification Response PingID Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration TTP Compromised User Account 2024-09-30
PingID Multiple Failed MFA Requests For User PingID Multi-Factor Authentication Request Generation Valid Accounts Brute Force TTP Compromised User Account 2024-09-30
PingID New MFA Method After Credential Reset PingID Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration TTP Compromised User Account 2024-09-30
PingID New MFA Method Registered For User PingID Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration TTP Compromised User Account 2024-09-30
Splunk Low Privilege User Can View Hashed Splunk Password Splunk Exploitation for Credential Access Hunting Splunk Vulnerabilities 2024-10-17
Splunk Sensitive Information Disclosure in DEBUG Logging Channels Splunk Unsecured Credentials Hunting Splunk Vulnerabilities 2024-10-17
ASL AWS Multi-Factor Authentication Disabled Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-09-30
ASL AWS New MFA Method Registered For User Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-10-17
AWS Console Login Failed During MFA Challenge AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS Credential Access Failed Login AWS CloudTrail Compromise Accounts Cloud Accounts Brute Force Password Guessing TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Credential Access GetPasswordData AWS CloudTrail GetPasswordData Compromise Accounts Cloud Accounts Brute Force Password Guessing Anomaly AWS Identity and Access Management Account Takeover 2024-09-30
AWS Credential Access RDS Password reset AWS CloudTrail ModifyDBInstance Compromise Accounts Cloud Accounts Brute Force TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS High Number Of Failed Authentications From Ip AWS CloudTrail ConsoleLogin Brute Force Password Spraying Credential Stuffing Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS IAM Assume Role Policy Brute Force AWS CloudTrail Cloud Infrastructure Discovery Brute Force TTP AWS IAM Privilege Escalation 2024-09-30
AWS Multi-Factor Authentication Disabled AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Multiple Failed MFA Requests For User AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Anomaly AWS Identity and Access Management Account Takeover 2024-09-30
AWS Multiple Users Failing To Authenticate From Ip AWS CloudTrail ConsoleLogin Brute Force Password Spraying Credential Stuffing Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-10-16
AWS New MFA Method Registered For User AWS CloudTrail CreateVirtualMFADevice Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Unusual Number of Failed Authentications From Ip AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly AWS Identity and Access Management Account Takeover 2024-09-30
Azure Active Directory High Risk Sign-in Azure Active Directory Compromise Accounts Cloud Accounts Brute Force Password Spraying TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Authentication Failed During MFA Challenge Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP Azure Active Directory Account Takeover 2024-10-31
Azure AD Device Code Authentication Azure Active Directory Steal Application Access Token Phishing Spearphishing Link TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD High Number Of Failed Authentications For User Azure Active Directory Brute Force Password Guessing TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Azure AD High Number Of Failed Authentications From Ip Azure Active Directory Brute Force Password Guessing Password Spraying TTP Azure Active Directory Account Takeover, Compromised User Account, NOBELIUM Group 2024-09-30
Azure AD Multi-Factor Authentication Disabled Azure Active Directory Disable Strong Authentication Compromise Accounts Cloud Accounts Modify Authentication Process Multi-Factor Authentication TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multi-Source Failed Authentications Spike Azure Active Directory Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Hunting Azure Active Directory Account Takeover, NOBELIUM Group 2024-10-17
Azure AD Multiple Denied MFA Requests For User Azure Active Directory Sign-in activity Multi-Factor Authentication Request Generation TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple Failed MFA Requests For User Azure Active Directory Sign-in activity Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple Users Failing To Authenticate From Ip Azure Active Directory Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly Azure Active Directory Account Takeover 2024-09-30
Azure AD New MFA Method Registered For User Azure Active Directory User registered security info Modify Authentication Process Multi-Factor Authentication TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Azure AD OAuth Application Consent Granted By User Azure Active Directory Consent to application Steal Application Access Token TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Privileged Authentication Administrator Role Assigned Azure Active Directory Add member to role Security Account Manager TTP Azure Active Directory Privilege Escalation 2024-09-30
Azure AD Privileged Graph API Permission Assigned Azure Active Directory Update application Security Account Manager TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Successful Authentication From Different Ips Azure Active Directory Brute Force Password Guessing Password Spraying TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Azure AD Unusual Number of Failed Authentications From Ip Azure Active Directory Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly Azure Active Directory Account Takeover 2024-09-30
Azure AD User Consent Blocked for Risky Application Azure Active Directory Consent to application Steal Application Access Token TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD User Consent Denied for OAuth Application Azure Active Directory Sign-in activity Steal Application Access Token TTP Azure Active Directory Account Takeover 2024-09-30
Detect AWS Console Login by New User AWS CloudTrail Compromise Accounts Cloud Accounts Unsecured Credentials Hunting AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities 2024-10-17
GCP Authentication Failed During MFA Challenge Google Workspace login_failure Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP GCP Account Takeover 2024-09-30
GCP Multi-Factor Authentication Disabled Compromise Accounts Cloud Accounts Modify Authentication Process Multi-Factor Authentication TTP GCP Account Takeover 2024-09-30
GCP Multiple Failed MFA Requests For User Google Workspace login_failure Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Valid Accounts Cloud Accounts TTP GCP Account Takeover 2024-09-30
GCP Multiple Users Failing To Authenticate From Ip Google Workspace login_failure Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly GCP Account Takeover 2024-09-30
GCP Unusual Number of Failed Authentications From Ip Google Workspace login_failure Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly GCP Account Takeover 2024-09-30
High Number of Login Failures from a single source O365 UserLoginFailed Password Guessing Brute Force Anomaly Office 365 Account Takeover 2024-09-30
Kubernetes Abuse of Secret by Unusual Location Kubernetes Audit Container API Anomaly Kubernetes Security 2024-09-30
Kubernetes Abuse of Secret by Unusual User Agent Kubernetes Audit Container API Anomaly Kubernetes Security 2024-09-30
Kubernetes Abuse of Secret by Unusual User Group Kubernetes Audit Container API Anomaly Kubernetes Security 2024-09-30
Kubernetes Abuse of Secret by Unusual User Name Kubernetes Audit Container API Anomaly Kubernetes Security 2024-09-30
Kubernetes Nginx Ingress LFI Exploitation for Credential Access TTP Dev Sec Ops 2024-09-30
Kubernetes Nginx Ingress RFI Exploitation for Credential Access TTP Dev Sec Ops 2024-09-30
O365 Disable MFA O365 Disable Strong Authentication. Modify Authentication Process TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Excessive Authentication Failures Alert Brute Force Anomaly Office 365 Account Takeover 2024-09-30
O365 Excessive SSO logon errors O365 UserLoginFailed Modify Authentication Process Anomaly Cloud Federated Credential Abuse, Office 365 Account Takeover 2024-09-30
O365 File Permissioned Application Consent Granted by User O365 Consent to application. Steal Application Access Token TTP Office 365 Account Takeover 2024-09-30
O365 High Number Of Failed Authentications for User O365 UserLoginFailed Brute Force Password Guessing TTP Office 365 Account Takeover 2024-09-30
O365 Mail Permissioned Application Consent Granted by User O365 Consent to application. Steal Application Access Token TTP Office 365 Account Takeover 2024-09-30
O365 Multi-Source Failed Authentications Spike O365 UserLoginFailed Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Hunting NOBELIUM Group, Office 365 Account Takeover 2024-10-17
O365 Multiple Failed MFA Requests For User O365 UserLoginFailed Multi-Factor Authentication Request Generation TTP Office 365 Account Takeover 2024-09-30
O365 Multiple Users Failing To Authenticate From Ip O365 UserLoginFailed Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing TTP NOBELIUM Group, Office 365 Account Takeover 2024-09-30
O365 Privileged Graph API Permission Assigned O365 Update application. Security Account Manager TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 User Consent Blocked for Risky Application O365 Consent to application. Steal Application Access Token TTP Office 365 Account Takeover 2024-09-30
O365 User Consent Denied for OAuth Application O365 Steal Application Access Token TTP Office 365 Account Takeover 2024-09-30
Detect Mimikatz Using Loaded Images Sysmon EventID 7 LSASS Memory OS Credential Dumping TTP CISA AA22-257A, CISA AA22-264A, CISA AA22-320A, Cloud Federated Credential Abuse, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack, Sandworm Tools 2024-10-17
Detect Mimikatz Via PowerShell And EventCode 4703 LSASS Memory TTP Cloud Federated Credential Abuse 2024-10-17
Dump LSASS via procdump Rename Sysmon EventID 1 LSASS Memory Hunting CISA AA22-257A, Credential Dumping, HAFNIUM Group 2024-10-17
Multiple Okta Users With Invalid Credentials From The Same IP Password Spraying Valid Accounts Default Accounts TTP Suspicious Okta Activity 2024-10-17
Okta Account Locked Out Brute Force Anomaly Okta MFA Exhaustion, Suspicious Okta Activity 2024-10-17
Okta ThreatInsight Login Failure with High Unknown users Valid Accounts Default Accounts Credential Stuffing TTP Suspicious Okta Activity 2024-10-17
Okta ThreatInsight Suspected PasswordSpray Attack Valid Accounts Default Accounts Password Spraying TTP Suspicious Okta Activity 2024-10-17
Okta Two or More Rejected Okta Pushes Brute Force TTP Okta MFA Exhaustion, Suspicious Okta Activity 2024-10-17
Unsigned Image Loaded by LSASS Sysmon EventID 7 LSASS Memory TTP Credential Dumping 2024-10-17
Access LSASS Memory for Dump Creation Sysmon EventID 10 LSASS Memory OS Credential Dumping TTP CISA AA23-347A, Credential Dumping 2024-09-30
Add DefaultUser And Password In Registry Sysmon EventID 13 Credentials in Registry Unsecured Credentials Anomaly BlackMatter Ransomware 2024-11-14
Attacker Tools On Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Match Legitimate Name or Location Masquerading OS Credential Dumping Active Scanning TTP CISA AA22-264A, Compromised Windows Host, Monitor for Unauthorized Software, SamSam Ransomware, Unusual Processes, XMRig 2024-11-28
Attempted Credential Dump From Registry via Reg exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Security Account Manager OS Credential Dumping TTP CISA AA23-347A, Compromised Windows Host, Credential Dumping, DarkSide Ransomware, Data Destruction, Industroyer2, Windows Registry Abuse 2024-11-28
Auto Admin Logon Registry Entry Sysmon EventID 12, Sysmon EventID 13 Credentials in Registry Unsecured Credentials TTP BlackMatter Ransomware, Windows Registry Abuse 2024-11-14
Create Remote Thread into LSASS Sysmon EventID 8 LSASS Memory OS Credential Dumping TTP BlackSuit Ransomware, Credential Dumping 2024-09-30
Creation of lsass Dump with Taskmgr Sysmon EventID 11 LSASS Memory OS Credential Dumping TTP CISA AA22-257A, Credential Dumping 2024-09-30
Creation of Shadow Copy CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 NTDS OS Credential Dumping TTP Compromised Windows Host, Credential Dumping, Volt Typhoon 2024-11-28
Creation of Shadow Copy with wmic and powershell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 NTDS OS Credential Dumping TTP Compromised Windows Host, Credential Dumping, Living Off The Land, Volt Typhoon 2024-11-28
Credential Dumping via Copy Command from Shadow Copy CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 NTDS OS Credential Dumping TTP Compromised Windows Host, Credential Dumping 2024-11-28
Credential Dumping via Symlink to Shadow Copy CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 NTDS OS Credential Dumping TTP Compromised Windows Host, Credential Dumping 2024-11-28
Crowdstrike Admin Weak Password Policy Brute Force TTP Compromised Windows Host 2024-09-30
Crowdstrike Admin With Duplicate Password Brute Force TTP Compromised Windows Host 2024-09-30
Crowdstrike High Identity Risk Severity Brute Force TTP Compromised Windows Host 2024-09-30
Crowdstrike Medium Identity Risk Severity Brute Force TTP Compromised Windows Host 2024-09-30
Crowdstrike Medium Severity Alert Brute Force Anomaly Compromised Windows Host 2024-09-30
Crowdstrike Multiple LOW Severity Alerts Brute Force Anomaly Compromised Windows Host 2024-09-30
Crowdstrike Privilege Escalation For Non-Admin User Brute Force Anomaly Compromised Windows Host 2024-09-30
Crowdstrike User Weak Password Policy Brute Force Anomaly Compromised Windows Host 2024-09-30
Crowdstrike User with Duplicate Password Brute Force Anomaly Compromised Windows Host 2024-09-30
Detect Certify Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Steal or Forge Authentication Certificates Ingress Tool Transfer TTP Compromised Windows Host, Ingress Tool Transfer, Windows Certificate Services 2024-11-28
Detect Certify With PowerShell Script Block Logging Powershell Script Block Logging 4104 Steal or Forge Authentication Certificates Command and Scripting Interpreter PowerShell TTP Malicious PowerShell, Windows Certificate Services 2024-09-30
Detect Certipy File Modifications Sysmon EventID 1, Sysmon EventID 11 Steal or Forge Authentication Certificates Archive Collected Data TTP Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services 2024-09-30
Detect Copy of ShadowCopy with Script Block Logging Powershell Script Block Logging 4104 Security Account Manager OS Credential Dumping TTP Credential Dumping 2024-09-30
Detect Credential Dumping through LSASS access Sysmon EventID 10 LSASS Memory OS Credential Dumping TTP BlackSuit Ransomware, CISA AA23-347A, Credential Dumping, Detect Zerologon Attack 2024-09-30
Detect Mimikatz With PowerShell Script Block Logging Powershell Script Block Logging 4104 OS Credential Dumping PowerShell TTP CISA AA22-264A, CISA AA22-320A, CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Sandworm Tools 2024-09-30
Detect Password Spray Attack Behavior From Source Password Spraying Brute Force TTP Compromised User Account 2024-09-30
Detect Password Spray Attack Behavior On User Password Spraying Brute Force TTP Compromised User Account 2024-09-30
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser Powershell Script Block Logging 4104 Steal or Forge Kerberos Tickets AS-REP Roasting TTP Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A 2024-09-30
Disabled Kerberos Pre-Authentication Discovery With PowerView Powershell Script Block Logging 4104 Steal or Forge Kerberos Tickets AS-REP Roasting TTP Active Directory Kerberos Attacks 2024-09-30
Disabling Windows Local Security Authority Defences via Registry Sysmon EventID 1, Sysmon EventID 13 Modify Authentication Process TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Dump LSASS via comsvcs DLL CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 LSASS Memory OS Credential Dumping TTP CISA AA22-257A, CISA AA22-264A, Compromised Windows Host, Credential Dumping, Data Destruction, Flax Typhoon, HAFNIUM Group, Industroyer2, Living Off The Land, Prestige Ransomware, Suspicious Rundll32 Activity, Volt Typhoon 2024-11-28
Dump LSASS via procdump CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 LSASS Memory OS Credential Dumping TTP CISA AA22-257A, Compromised Windows Host, Credential Dumping, HAFNIUM Group 2024-11-28
Enable WDigest UseLogonCredential Registry Sysmon EventID 12, Sysmon EventID 13 Modify Registry OS Credential Dumping TTP CISA AA22-320A, Credential Dumping, Windows Registry Abuse 2024-11-14
Esentutl SAM Copy CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Security Account Manager OS Credential Dumping Hunting Credential Dumping, Living Off The Land 2024-10-17
Excel Spawning PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Security Account Manager OS Credential Dumping TTP Compromised Windows Host, Spearphishing Attachments 2024-11-28
Excel Spawning Windows Script Host CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Security Account Manager OS Credential Dumping TTP Compromised Windows Host, Spearphishing Attachments 2024-11-28
Extraction of Registry Hives CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Security Account Manager OS Credential Dumping TTP CISA AA22-257A, CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Volt Typhoon 2024-09-30
Kerberoasting spn request with RC4 encryption Windows Event Log Security 4769 Steal or Forge Kerberos Tickets Kerberoasting TTP Active Directory Kerberos Attacks, Compromised Windows Host, Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-11-28
Kerberos Pre-Authentication Flag Disabled in UserAccountControl Windows Event Log Security 4738 Steal or Forge Kerberos Tickets AS-REP Roasting TTP Active Directory Kerberos Attacks, BlackSuit Ransomware 2024-09-30
Kerberos Pre-Authentication Flag Disabled with PowerShell Powershell Script Block Logging 4104 Steal or Forge Kerberos Tickets AS-REP Roasting TTP Active Directory Kerberos Attacks 2024-09-30
Kerberos Service Ticket Request Using RC4 Encryption Windows Event Log Security 4769 Steal or Forge Kerberos Tickets Golden Ticket TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation 2024-09-30
Linux Auditd Find Credentials From Password Managers Linux Auditd Execve Password Managers Credentials from Password Stores TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Find Credentials From Password Stores Linux Auditd Execve Password Managers Credentials from Password Stores TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Find Private Keys Linux Auditd Execve Private Keys Unsecured Credentials TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Find Ssh Private Keys Linux Auditd Execve Private Keys Unsecured Credentials Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Possible Access To Credential Files Linux Auditd Proctitle /etc/passwd and /etc/shadow OS Credential Dumping Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Possible Access To Credential Files Sysmon for Linux EventID 1 /etc/passwd and /etc/shadow OS Credential Dumping Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Non Chrome Process Accessing Chrome Default Dir Windows Event Log Security 4663 Credentials from Password Stores Credentials from Web Browsers Anomaly 3CX Supply Chain Attack, AgentTesla, CISA AA23-347A, DarkGate Malware, FIN7, NjRAT, Phemedrone Stealer, RedLine Stealer, Remcos, Snake Keylogger, Warzone RAT 2024-09-30
Non Firefox Process Access Firefox Profile Dir Windows Event Log Security 4663 Credentials from Password Stores Credentials from Web Browsers Anomaly 3CX Supply Chain Attack, AgentTesla, Azorult, CISA AA23-347A, DarkGate Malware, FIN7, NjRAT, Phemedrone Stealer, RedLine Stealer, Remcos, Snake Keylogger, Warzone RAT 2024-09-30
Ntdsutil Export NTDS CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 NTDS OS Credential Dumping TTP Credential Dumping, HAFNIUM Group, Living Off The Land, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon 2024-09-30
PetitPotam Network Share Access Request Windows Event Log Security 5145 Forced Authentication TTP PetitPotam NTLM Relay on Active Directory Certificate Services 2024-09-30
PetitPotam Suspicious Kerberos TGT Request Windows Event Log Security 4768 OS Credential Dumping TTP Active Directory Kerberos Attacks, PetitPotam NTLM Relay on Active Directory Certificate Services 2024-09-30
Possible Browser Pass View Parameter CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Credentials from Web Browsers Credentials from Password Stores Hunting Remcos 2024-10-17
Potential password in username Linux Secure Local Accounts Credentials In Files Hunting Credential Dumping, Insider Threat 2024-10-17
Rubeus Command Line Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Use Alternate Authentication Material Pass the Ticket Steal or Forge Kerberos Tickets Kerberoasting AS-REP Roasting TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation, BlackSuit Ransomware, CISA AA23-347A 2024-09-30
SAM Database File Access Attempt Windows Event Log Security 4663 Security Account Manager OS Credential Dumping Hunting Credential Dumping, Graceful Wipe Out Attack, Rhysida Ransomware 2024-10-17
SecretDumps Offline NTDS Dumping Tool CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 NTDS OS Credential Dumping TTP Compromised Windows Host, Credential Dumping, Graceful Wipe Out Attack, Rhysida Ransomware 2024-11-28
ServicePrincipalNames Discovery with PowerShell Powershell Script Block Logging 4104 Kerberoasting TTP Active Directory Discovery, Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Malicious PowerShell 2024-09-30
ServicePrincipalNames Discovery with SetSPN CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Kerberoasting TTP Active Directory Discovery, Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Compromised Windows Host 2024-11-28
Steal or Forge Authentication Certificates Behavior Identified Steal or Forge Authentication Certificates Correlation Windows Certificate Services 2024-09-30
Unusual Number of Kerberos Service Tickets Requested Windows Event Log Security 4769 Steal or Forge Kerberos Tickets Kerberoasting Anomaly Active Directory Kerberos Attacks 2024-10-17
Windows AD Replication Request Initiated by User Account Windows Event Log Security 4662 DCSync OS Credential Dumping TTP Compromised Windows Host, Credential Dumping, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Replication Request Initiated from Unsanctioned Location Windows Event Log Security 4624, Windows Event Log Security 4662 DCSync OS Credential Dumping TTP Compromised Windows Host, Credential Dumping, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows Cached Domain Credentials Reg Query CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Cached Domain Credentials OS Credential Dumping Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows Computer Account Created by Computer Account Windows Event Log Security 4741 Steal or Forge Kerberos Tickets TTP Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp 2024-09-30
Windows Computer Account Requesting Kerberos Ticket Windows Event Log Security 4768 Steal or Forge Kerberos Tickets TTP Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp 2024-09-30
Windows Computer Account With SPN Windows Event Log Security 4741 Steal or Forge Kerberos Tickets TTP Active Directory Kerberos Attacks, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp 2024-11-28
Windows Credential Dumping LSASS Memory Createdump CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 LSASS Memory TTP Compromised Windows Host, Credential Dumping 2024-11-28
Windows Credentials Access via VaultCli Module Windows Credential Manager Anomaly Meduza Stealer 2024-11-29
Windows Credentials from Password Stores Chrome Copied in TEMP Dir Credentials from Web Browsers Credentials from Password Stores TTP Braodo Stealer 2024-09-24
Windows Credentials from Password Stores Creation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Credentials from Password Stores TTP Compromised Windows Host, DarkGate Malware 2024-11-28
Windows Credentials from Password Stores Deletion CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Credentials from Password Stores TTP Compromised Windows Host, DarkGate Malware 2024-11-28
Windows Credentials from Password Stores Query CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Credentials from Password Stores Anomaly DarkGate Malware, Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows Credentials from Web Browsers Saved in TEMP Folder Credentials from Web Browsers Credentials from Password Stores TTP Braodo Stealer 2024-09-24
Windows Credentials in Registry Reg Query CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Credentials in Registry Unsecured Credentials Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows Domain Admin Impersonation Indicator Windows Event Log Security 4627 Steal or Forge Kerberos Tickets TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Compromised Windows Host, Gozi Malware 2024-11-28
Windows Export Certificate Windows Event Log CertificateServicesClient 1007 Private Keys Unsecured Credentials Steal or Forge Authentication Certificates Anomaly Windows Certificate Services 2024-09-30
Windows Findstr GPP Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Unsecured Credentials Group Policy Preferences TTP Active Directory Privilege Escalation 2024-09-30
Windows Hunting System Account Targeting Lsass Sysmon EventID 10 LSASS Memory OS Credential Dumping Hunting CISA AA23-347A, Credential Dumping 2024-10-17
Windows Input Capture Using Credential UI Dll Sysmon EventID 7 GUI Input Capture Input Capture Hunting Brute Ratel C4 2024-10-17
Windows Kerberos Local Successful Logon Windows Event Log Security 4624 Steal or Forge Kerberos Tickets TTP Active Directory Kerberos Attacks, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp 2024-11-28
Windows Local Administrator Credential Stuffing Windows Event Log Security 4624, Windows Event Log Security 4625 Brute Force Credential Stuffing TTP Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-30
Windows LSA Secrets NoLMhash Registry Sysmon EventID 12, Sysmon EventID 13 LSA Secrets TTP CISA AA23-347A 2024-11-14
Windows Mimikatz Binary Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 OS Credential Dumping TTP CISA AA22-320A, CISA AA23-347A, Compromised Windows Host, Credential Dumping, Flax Typhoon, Sandworm Tools, Volt Typhoon 2024-11-28
Windows Mimikatz Crypto Export File Extensions Sysmon EventID 11 Steal or Forge Authentication Certificates Anomaly CISA AA23-347A, Sandworm Tools, Windows Certificate Services 2024-09-30
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos Windows Event Log Security 4768 Password Spraying Brute Force TTP Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos Windows Event Log Security 4768 Password Spraying Brute Force TTP Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Multiple Invalid Users Failed To Authenticate Using NTLM Windows Event Log Security 4776 Password Spraying Brute Force TTP Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Multiple NTLM Null Domain Authentications Brute Force Password Spraying TTP Active Directory Password Spraying 2024-09-30
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials Windows Event Log Security 4648 Password Spraying Brute Force TTP Active Directory Password Spraying, Insider Threat, Volt Typhoon 2024-09-30
Windows Multiple Users Failed To Authenticate From Host Using NTLM Windows Event Log Security 4776 Password Spraying Brute Force TTP Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Multiple Users Failed To Authenticate From Process Windows Event Log Security 4625 Password Spraying Brute Force TTP Active Directory Password Spraying, Insider Threat, Volt Typhoon 2024-09-30
Windows Multiple Users Failed To Authenticate Using Kerberos Windows Event Log Security 4771 Password Spraying Brute Force TTP Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Multiple Users Remotely Failed To Authenticate From Host Windows Event Log Security 4625 Password Spraying Brute Force TTP Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Non-System Account Targeting Lsass Sysmon EventID 10 LSASS Memory OS Credential Dumping TTP CISA AA23-347A, Credential Dumping 2024-09-30
Windows Password Managers Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Password Managers Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows Possible Credential Dumping Sysmon EventID 10 LSASS Memory OS Credential Dumping TTP CISA AA22-257A, CISA AA22-264A, CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack 2024-09-30
Windows Post Exploitation Risk Behavior Query Registry System Network Connections Discovery Permission Groups Discovery System Network Configuration Discovery OS Credential Dumping System Information Discovery Clipboard Data Unsecured Credentials Correlation Windows Post-Exploitation 2024-09-30
Windows PowerShell Export Certificate Powershell Script Block Logging 4104 Private Keys Unsecured Credentials Steal or Forge Authentication Certificates Anomaly Windows Certificate Services 2024-09-30
Windows PowerShell Export PfxCertificate Powershell Script Block Logging 4104 Private Keys Unsecured Credentials Steal or Forge Authentication Certificates Anomaly Windows Certificate Services 2024-09-30
Windows PowerSploit GPP Discovery Powershell Script Block Logging 4104 Unsecured Credentials Group Policy Preferences TTP Active Directory Privilege Escalation 2024-09-30
Windows PowerView Kerberos Service Ticket Request Powershell Script Block Logging 4104 Steal or Forge Kerberos Tickets Kerberoasting TTP Active Directory Kerberos Attacks, Rhysida Ransomware 2024-09-30
Windows PowerView SPN Discovery Powershell Script Block Logging 4104 Steal or Forge Kerberos Tickets Kerberoasting TTP Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware 2024-09-30
Windows Private Keys Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Private Keys Unsecured Credentials Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows Rapid Authentication On Multiple Hosts Windows Event Log Security 4624 Security Account Manager TTP Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-30
Windows Remote Access Software BRC4 Loaded Dll Sysmon EventID 7 Remote Access Software OS Credential Dumping Anomaly Brute Ratel C4 2024-09-30
Windows Steal Authentication Certificates - ESC1 Abuse Windows Event Log Security 4886, Windows Event Log Security 4887 Steal or Forge Authentication Certificates TTP Windows Certificate Services 2024-09-30
Windows Steal Authentication Certificates - ESC1 Authentication Windows Event Log Security 4768, Windows Event Log Security 4887 Steal or Forge Authentication Certificates Use Alternate Authentication Material TTP Compromised Windows Host, Windows Certificate Services 2024-11-28
Windows Steal Authentication Certificates Certificate Issued Windows Event Log Security 4887 Steal or Forge Authentication Certificates Anomaly Windows Certificate Services 2024-09-30
Windows Steal Authentication Certificates Certificate Request Windows Event Log Security 4886 Steal or Forge Authentication Certificates Anomaly Windows Certificate Services 2024-09-30
Windows Steal Authentication Certificates CertUtil Backup CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Steal or Forge Authentication Certificates Anomaly Windows Certificate Services 2024-09-30
Windows Steal Authentication Certificates CryptoAPI Windows Event Log CAPI2 70 Steal or Forge Authentication Certificates Anomaly Windows Certificate Services 2024-09-30
Windows Steal Authentication Certificates CS Backup Windows Event Log Security 4876 Steal or Forge Authentication Certificates Anomaly Windows Certificate Services 2024-09-30
Windows Steal Authentication Certificates Export Certificate CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Steal or Forge Authentication Certificates Anomaly Windows Certificate Services 2024-09-30
Windows Steal Authentication Certificates Export PfxCertificate CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Steal or Forge Authentication Certificates Anomaly Windows Certificate Services 2024-09-30
Windows Steal or Forge Kerberos Tickets Klist CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Steal or Forge Kerberos Tickets Hunting Prestige Ransomware, Windows Post-Exploitation 2024-10-17
Windows Unsecured Outlook Credentials Access In Registry Windows Event Log Security 4663 Unsecured Credentials Anomaly Meduza Stealer, Snake Keylogger 2024-11-28
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos Windows Event Log Security 4768 Password Spraying Brute Force Anomaly Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos Windows Event Log Security 4768 Password Spraying Brute Force Anomaly Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM Windows Event Log Security 4776 Password Spraying Brute Force Anomaly Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials Windows Event Log Security 4648 Password Spraying Brute Force Anomaly Active Directory Password Spraying, Insider Threat, Volt Typhoon 2024-09-30
Windows Unusual Count Of Users Failed To Auth Using Kerberos Windows Event Log Security 4771 Password Spraying Brute Force Anomaly Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Unusual Count Of Users Failed To Authenticate From Process Windows Event Log Security 4625 Password Spraying Brute Force Anomaly Active Directory Password Spraying, Insider Threat, Volt Typhoon 2024-09-30
Windows Unusual Count Of Users Failed To Authenticate Using NTLM Windows Event Log Security 4776 Password Spraying Brute Force Anomaly Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Unusual Count Of Users Remotely Failed To Auth From Host Windows Event Log Security 4625 Password Spraying Brute Force Anomaly Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Unusual NTLM Authentication Destinations By Source Brute Force Password Spraying Anomaly Active Directory Password Spraying 2024-09-30
Windows Unusual NTLM Authentication Destinations By User Brute Force Password Spraying Anomaly Active Directory Password Spraying 2024-09-30
Windows Unusual NTLM Authentication Users By Destination Brute Force Password Spraying Anomaly Active Directory Password Spraying 2024-09-30
Windows Unusual NTLM Authentication Users By Source Brute Force Password Spraying Anomaly Active Directory Password Spraying 2024-09-30
Detect ARP Poisoning Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning TTP Router and Infrastructure Security 2024-10-17
Detect IPv6 Network Infrastructure Threats Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning TTP Router and Infrastructure Security 2024-10-17
Detect Port Security Violation Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning TTP Router and Infrastructure Security 2024-10-17
Detect Rogue DHCP Server Hardware Additions Network Denial of Service Adversary-in-the-Middle TTP Router and Infrastructure Security 2024-10-17
Splunk Identified SSL TLS Certificates Splunk Stream TCP Network Sniffing Hunting Splunk Vulnerabilities 2024-10-17
Windows AD Replication Service Traffic OS Credential Dumping DCSync Rogue Domain Controller TTP Sneaky Active Directory Persistence Tricks 2024-10-17