Azure AD Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Credential Access
Azure AD Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Multiple Denied MFA Requests For User
Multi-Factor Authentication Request Generation
Azure AD User Consent Denied for OAuth Application
Steal Application Access Token
Azure AD OAuth Application Consent Granted By User
Steal Application Access Token
Azure AD User Consent Blocked for Risky Application
Steal Application Access Token
Windows Domain Admin Impersonation Indicator
Steal or Forge Kerberos Tickets
Azure AD Device Code Authentication
Steal Application Access Token, Phishing, Spearphishing Link
O365 Excessive SSO logon errors
Modify Authentication Process
Detect Certify With PowerShell Script Block Logging
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
Detect Certify Command Line Arguments
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Detect Certipy File Modifications
Steal or Forge Authentication Certificates, Archive Collected Data
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
SAM Database File Access Attempt
Security Account Manager, OS Credential Dumping
SAM Database File Access Attempt
Security Account Manager, OS Credential Dumping
SecretDumps Offline NTDS Dumping Tool
NTDS, OS Credential Dumping
SecretDumps Offline NTDS Dumping Tool
NTDS, OS Credential Dumping
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Windows Steal Authentication Certificates - ESC1 Authentication
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Windows Steal Authentication Certificates - ESC1 Abuse
Steal or Forge Authentication Certificates
ASL AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
ASL AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Splunk Low Privilege User Can View Hashed Splunk Password
Exploitation for Credential Access
Windows PowerSploit GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows PowerSploit GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows File Share Discovery With Powerview
Unsecured Credentials, Group Policy Preferences
Windows File Share Discovery With Powerview
Unsecured Credentials, Group Policy Preferences
Windows Findstr GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows Findstr GPP Discovery
Unsecured Credentials, Group Policy Preferences
Steal or Forge Authentication Certificates Behavior Identified
Steal or Forge Authentication Certificates
Enable WDigest UseLogonCredential Registry
Modify Registry, OS Credential Dumping
Non Firefox Process Access Firefox Profile Dir
Credentials from Password Stores, Credentials from Web Browsers
Non Firefox Process Access Firefox Profile Dir
Credentials from Password Stores, Credentials from Web Browsers
Azure AD Privileged Authentication Administrator Role Assigned
Security Account Manager
Non Chrome Process Accessing Chrome Default Dir
Credentials from Password Stores, Credentials from Web Browsers
Non Chrome Process Accessing Chrome Default Dir
Credentials from Password Stores, Credentials from Web Browsers
Attempted Credential Dump From Registry via Reg exe
Security Account Manager, OS Credential Dumping
Attempted Credential Dump From Registry via Reg exe
Security Account Manager, OS Credential Dumping
Dump LSASS via comsvcs DLL
LSASS Memory, OS Credential Dumping
Dump LSASS via comsvcs DLL
LSASS Memory, OS Credential Dumping
Kerberoasting spn request with RC4 encryption
Steal or Forge Kerberos Tickets, Kerberoasting
Kerberoasting spn request with RC4 encryption
Steal or Forge Kerberos Tickets, Kerberoasting
Auto Admin Logon Registry Entry
Credentials in Registry, Unsecured Credentials
Auto Admin Logon Registry Entry
Credentials in Registry, Unsecured Credentials
Add DefaultUser And Password In Registry
Credentials in Registry, Unsecured Credentials
Add DefaultUser And Password In Registry
Credentials in Registry, Unsecured Credentials
Windows Rapid Authentication On Multiple Hosts
Security Account Manager
Windows Local Administrator Credential Stuffing
Brute Force, Credential Stuffing
Windows Local Administrator Credential Stuffing
Brute Force, Credential Stuffing
Okta Mismatch Between Source and Response for Verify Push Request
Multi-Factor Authentication Request Generation
Okta Suspicious Use of a Session Cookie
Steal Web Session Cookie
Windows Findstr GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows Findstr GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows PowerSploit GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows PowerSploit GPP Discovery
Unsecured Credentials, Group Policy Preferences
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta ThreatInsight Login Failure with High Unknown users
Valid Accounts, Default Accounts, Credential Stuffing
Okta ThreatInsight Suspected PasswordSpray Attack
Valid Accounts, Default Accounts, Password Spraying
Windows Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates CryptoAPI
Steal or Forge Authentication Certificates
Windows Mimikatz Crypto Export File Extensions
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates CertUtil Backup
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates CS Backup
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Certificate Issued
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Certificate Request
Steal or Forge Authentication Certificates
Windows PowerShell Export PfxCertificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows PowerShell Export PfxCertificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows PowerShell Export PfxCertificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Export Certificate
Steal or Forge Authentication Certificates
Windows PowerShell Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows PowerShell Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows PowerShell Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Export PfxCertificate
Steal or Forge Authentication Certificates
AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
AWS High Number Of Failed Authentications From Ip
Brute Force, Password Spraying, Credential Stuffing
AWS High Number Of Failed Authentications From Ip
Brute Force, Password Spraying, Credential Stuffing
AWS High Number Of Failed Authentications From Ip
Brute Force, Password Spraying, Credential Stuffing
Azure AD New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Azure AD New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Azure AD Successful Authentication From Different Ips
Brute Force, Password Guessing, Password Spraying
Azure AD Successful Authentication From Different Ips
Brute Force, Password Guessing, Password Spraying
Azure AD Successful Authentication From Different Ips
Brute Force, Password Guessing, Password Spraying
Azure AD High Number Of Failed Authentications From Ip
Brute Force, Password Guessing, Password Spraying
Azure AD High Number Of Failed Authentications From Ip
Brute Force, Password Guessing, Password Spraying
Azure AD High Number Of Failed Authentications From Ip
Brute Force, Password Guessing, Password Spraying
Windows Credential Dumping LSASS Memory Createdump
LSASS Memory
Azure AD High Number Of Failed Authentications For User
Brute Force, Password Guessing
Azure AD High Number Of Failed Authentications For User
Brute Force, Password Guessing
Windows Credentials from Password Stores Query
Credentials from Password Stores
Windows Credentials in Registry Reg Query
Credentials in Registry, Unsecured Credentials
Windows Credentials in Registry Reg Query
Credentials in Registry, Unsecured Credentials
Windows Password Managers Discovery
Password Managers
Windows Private Keys Discovery
Private Keys, Unsecured Credentials
Windows Private Keys Discovery
Private Keys, Unsecured Credentials
Windows Cached Domain Credentials Reg Query
Cached Domain Credentials, OS Credential Dumping
Windows Cached Domain Credentials Reg Query
Cached Domain Credentials, OS Credential Dumping
Windows Steal or Forge Kerberos Tickets Klist
Steal or Forge Kerberos Tickets
Windows AD Replication Service Traffic
OS Credential Dumping, DCSync, Rogue Domain Controller
Windows AD Replication Service Traffic
OS Credential Dumping, DCSync, Rogue Domain Controller
Windows AD Replication Request Initiated from Unsanctioned Location
DCSync, OS Credential Dumping
Windows AD Replication Request Initiated from Unsanctioned Location
DCSync, OS Credential Dumping
Windows Mimikatz Binary Execution
OS Credential Dumping
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser
Steal or Forge Kerberos Tickets, AS-REP Roasting
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
GCP Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
GCP Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
AWS Console Login Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
AWS Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Risk Threshold Exceeded
Valid Accounts, Brute Force
Okta Two or More Rejected Okta Pushes
Brute Force
Okta MFA Exhaustion Hunt
Brute Force
AWS Multiple Users Failing To Authenticate From Ip
Brute Force, Password Spraying, Credential Stuffing
AWS Multiple Users Failing To Authenticate From Ip
Brute Force, Password Spraying, Credential Stuffing
AWS Multiple Users Failing To Authenticate From Ip
Brute Force, Password Spraying, Credential Stuffing
AWS Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Users Remotely Failed To Auth From Host
Password Spraying, Brute Force
Windows Unusual Count Of Users Remotely Failed To Auth From Host
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Authenticate From Process
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Authenticate From Process
Password Spraying, Brute Force
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
Password Spraying, Brute Force
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
Password Spraying, Brute Force
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
Password Spraying, Brute Force
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
Password Spraying, Brute Force
Okta Account Locked Out
Brute Force
Disabling Windows Local Security Authority Defences via Registry
Modify Authentication Process
Windows AD Replication Request Initiated by User Account
DCSync, OS Credential Dumping
Windows AD Replication Request Initiated by User Account
DCSync, OS Credential Dumping
Windows OS Credential Dumping with Procdump
LSASS Memory, OS Credential Dumping
Windows OS Credential Dumping with Procdump
LSASS Memory, OS Credential Dumping
Windows OS Credential Dumping with Ntdsutil Export NTDS
NTDS, OS Credential Dumping
Windows OS Credential Dumping with Ntdsutil Export NTDS
NTDS, OS Credential Dumping
Dump LSASS via procdump
LSASS Memory, OS Credential Dumping
Dump LSASS via procdump
LSASS Memory, OS Credential Dumping
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Windows Possible Credential Dumping
LSASS Memory, OS Credential Dumping
Windows Possible Credential Dumping
LSASS Memory, OS Credential Dumping
Windows Remote Access Software BRC4 Loaded Dll
Remote Access Software, OS Credential Dumping
Windows Input Capture Using Credential UI Dll
GUI Input Capture, Input Capture
Windows Input Capture Using Credential UI Dll
GUI Input Capture, Input Capture
AWS Credential Access GetPasswordData
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
AWS Credential Access GetPasswordData
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Azure AD Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Azure AD Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
AWS Credential Access Failed Login
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
AWS Credential Access Failed Login
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
AWS Credential Access RDS Password reset
Compromise Accounts, Cloud Accounts, Brute Force
Windows Non-System Account Targeting Lsass
LSASS Memory, OS Credential Dumping
Windows Non-System Account Targeting Lsass
LSASS Memory, OS Credential Dumping
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure Active Directory High Risk Sign-in
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Azure Active Directory High Risk Sign-in
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Windows PowerView SPN Discovery
Steal or Forge Kerberos Tickets, Kerberoasting
Windows PowerView SPN Discovery
Steal or Forge Kerberos Tickets, Kerberoasting
Windows PowerView Kerberos Service Ticket Request
Steal or Forge Kerberos Tickets, Kerberoasting
Windows PowerView Kerberos Service Ticket Request
Steal or Forge Kerberos Tickets, Kerberoasting
Splunk Identified SSL TLS Certificates
Network Sniffing
Potential password in username
Local Accounts, Credentials In Files
Detect AWS Console Login by New User
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Disabled Kerberos Pre-Authentication Discovery With PowerView
Steal or Forge Kerberos Tickets, AS-REP Roasting
Disabled Kerberos Pre-Authentication Discovery With PowerView
Steal or Forge Kerberos Tickets, AS-REP Roasting
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
Steal or Forge Kerberos Tickets, AS-REP Roasting
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows Computer Account With SPN
Steal or Forge Kerberos Tickets
Windows Computer Account Requesting Kerberos Ticket
Steal or Forge Kerberos Tickets
Windows Computer Account Created by Computer Account
Steal or Forge Kerberos Tickets
Windows Kerberos Local Successful Logon
Steal or Forge Kerberos Tickets
Windows Rundll32 Comsvcs Memory Dump
NTDS, OS Credential Dumping
Windows Rundll32 Comsvcs Memory Dump
NTDS, OS Credential Dumping
Kerberos Pre-Authentication Flag Disabled with PowerShell
Steal or Forge Kerberos Tickets, AS-REP Roasting
Kerberos Pre-Authentication Flag Disabled with PowerShell
Steal or Forge Kerberos Tickets, AS-REP Roasting
Kerberos Service Ticket Request Using RC4 Encryption
Steal or Forge Kerberos Tickets, Golden Ticket
Kerberos Service Ticket Request Using RC4 Encryption
Steal or Forge Kerberos Tickets, Golden Ticket
ServicePrincipalNames Discovery with PowerShell
Kerberoasting
Detect Mimikatz With PowerShell Script Block Logging
OS Credential Dumping, PowerShell
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
Steal or Forge Kerberos Tickets, AS-REP Roasting
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
Steal or Forge Kerberos Tickets, AS-REP Roasting
O365 Excessive Authentication Failures Alert
Brute Force
Unusual Number of Kerberos Service Tickets Requested
Steal or Forge Kerberos Tickets, Kerberoasting
Unusual Number of Kerberos Service Tickets Requested
Steal or Forge Kerberos Tickets, Kerberoasting
O365 Disable MFA
Modify Authentication Process
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Windows Hunting System Account Targeting Lsass
LSASS Memory, OS Credential Dumping
Windows Hunting System Account Targeting Lsass
LSASS Memory, OS Credential Dumping
Linux Possible Access To Credential Files
/etc/passwd and /etc/shadow, OS Credential Dumping
Linux Possible Access To Credential Files
/etc/passwd and /etc/shadow, OS Credential Dumping
Attempted Credential Dump From Registry via Reg exe
OS Credential Dumping, Security Account Manager
Attempted Credential Dump From Registry via Reg exe
OS Credential Dumping, Security Account Manager
Possible Browser Pass View Parameter
Credentials from Web Browsers, Credentials from Password Stores
Possible Browser Pass View Parameter
Credentials from Web Browsers, Credentials from Password Stores
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
ServicePrincipalNames Discovery with SetSPN
Kerberoasting
Credential Dumping via Copy Command from Shadow Copy
NTDS, OS Credential Dumping
Credential Dumping via Copy Command from Shadow Copy
NTDS, OS Credential Dumping
Credential Dumping via Symlink to Shadow Copy
NTDS, OS Credential Dumping
Credential Dumping via Symlink to Shadow Copy
NTDS, OS Credential Dumping
Creation of Shadow Copy with wmic and powershell
NTDS, OS Credential Dumping
Creation of Shadow Copy with wmic and powershell
NTDS, OS Credential Dumping
Extraction of Registry Hives
Security Account Manager, OS Credential Dumping
Extraction of Registry Hives
Security Account Manager, OS Credential Dumping
PetitPotam Suspicious Kerberos TGT Request
OS Credential Dumping
PetitPotam Network Share Access Request
Forced Authentication
Kubernetes Nginx Ingress RFI
Exploitation for Credential Access
Kubernetes Nginx Ingress LFI
Exploitation for Credential Access
Esentutl SAM Copy
Security Account Manager, OS Credential Dumping
Esentutl SAM Copy
Security Account Manager, OS Credential Dumping
Detect Copy of ShadowCopy with Script Block Logging
Security Account Manager, OS Credential Dumping
Detect Copy of ShadowCopy with Script Block Logging
Security Account Manager, OS Credential Dumping
Windows Multiple Invalid Users Failed To Authenticate Using NTLM
Password Spraying, Brute Force
Windows Multiple Invalid Users Failed To Authenticate Using NTLM
Password Spraying, Brute Force
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
Password Spraying, Brute Force
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
Password Spraying, Brute Force
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
Password Spraying, Brute Force
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
Password Spraying, Brute Force
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
Password Spraying, Brute Force
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate From Process
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate From Process
Password Spraying, Brute Force
Windows Multiple Users Remotely Failed To Authenticate From Host
Password Spraying, Brute Force
Windows Multiple Users Remotely Failed To Authenticate From Host
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate From Host Using NTLM
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate From Host Using NTLM
Password Spraying, Brute Force
Excel Spawning Windows Script Host
Security Account Manager, OS Credential Dumping
Excel Spawning Windows Script Host
Security Account Manager, OS Credential Dumping
Excel Spawning PowerShell
Security Account Manager, OS Credential Dumping
Excel Spawning PowerShell
Security Account Manager, OS Credential Dumping
Windows Multiple Users Failed To Authenticate Using Kerberos
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate Using Kerberos
Password Spraying, Brute Force
AWS IAM Assume Role Policy Brute Force
Cloud Infrastructure Discovery, Brute Force
Dump LSASS via procdump Rename
LSASS Memory
Ntdsutil Export NTDS
NTDS, OS Credential Dumping
Ntdsutil Export NTDS
NTDS, OS Credential Dumping
High Number of Login Failures from a single source
Password Guessing, Brute Force
High Number of Login Failures from a single source
Password Guessing, Brute Force
Detect IPv6 Network Infrastructure Threats
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect IPv6 Network Infrastructure Threats
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Port Security Violation
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Port Security Violation
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect ARP Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect ARP Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Rogue DHCP Server
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Creation of lsass Dump with Taskmgr
LSASS Memory, OS Credential Dumping
Creation of lsass Dump with Taskmgr
LSASS Memory, OS Credential Dumping
Creation of Shadow Copy
NTDS, OS Credential Dumping
Creation of Shadow Copy
NTDS, OS Credential Dumping
Access LSASS Memory for Dump Creation
LSASS Memory, OS Credential Dumping
Access LSASS Memory for Dump Creation
LSASS Memory, OS Credential Dumping
Create Remote Thread into LSASS
LSASS Memory, OS Credential Dumping
Create Remote Thread into LSASS
LSASS Memory, OS Credential Dumping
Unsigned Image Loaded by LSASS
LSASS Memory
Detect Credential Dumping through LSASS access
LSASS Memory, OS Credential Dumping
Detect Credential Dumping through LSASS access
LSASS Memory, OS Credential Dumping
Detect Mimikatz Using Loaded Images
LSASS Memory, OS Credential Dumping
Detect Mimikatz Using Loaded Images
LSASS Memory, OS Credential Dumping
Detect Mimikatz Via PowerShell And EventCode 4703
LSASS Memory