title: PUA - AWS TruffleHog Execution
id: a840e606-7c8c-4684-9bc1-eb6b6155127f
status: experimental
description: |
    Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment.
    It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to…

title: Rare Subscription-level Operations In Azure
id: c1182e02-49a3-481c-b3de-0fadc4091488
status: test
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
references:
    - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperati…

title: Access To Crypto Currency Wallets By Uncommon Applications
id: f41b0311-44f9-44f0-816d-dd45e39d4bc8
status: test
description: |
    Detects file access requests to crypto currency files by uncommon processes.
    Could indicate potential attempt of crypto currency wallet stealing.
references:
    - Internal Research
author: X__Junior (Nextron Systems)
date: 2024-07-29
tags:
    - attack.t10…

title: Credential Manager Access By Uncommon Applications
id: 407aecb1-e762-4acf-8c7b-d087bcff3bb6
status: test
description: |
    Detects suspicious processes based on name and location that access the windows credential manager and vault.
    Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
references:
    - https://hunter2.gitbook.io/dar…

title: Esentutl Gather Credentials
id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
status: test
description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
references:
    - https://twitter.com/vxunderground/status/1423336151860002816
    - https://thedfirreport.com/2021/08/01/bazarcall-to-cont…

title: Shadow Copies Creation Using Operating Systems Utilities
id: b17ea6f7-6e90-447e-a799-e6c0a493d6ce
status: test
description: Shadow Copies creation using operating systems utilities, possible credential access
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tu…

title: Loaded Module Enumeration Via Tasklist.EXE
id: 34275eb8-fa19-436b-b959-3d9ecd53fa1f
status: test
description: |
    Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe".
    This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.
    In order to dump the process memory or perform other ne…

title: Capture Credentials with Rpcping.exe
id: 93671f99-04eb-4ab4-a161-70d446a84003
status: test
description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Rpcping/
    - https://twitter.com/vysecurity/status/974806438316072960
    - https://twi…

title: File Access Of Signal Desktop Sensitive Data
id: 5d6c375a-18ae-4952-b4f6-8b803f6c8555
status: experimental
description: |
    Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json.
    The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that dat…

title: Potential Credential Dumping Attempt Using New NetworkProvider - REG
id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
related:
    - id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
      type: similar
status: test
description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
references:
    - https://learn.microsof…

title: Potential Exploitation of CVE-2025-5054 or CVE-2025-4598
id: 33b3cfb1-574e-44b9-b527-fbf9303b9d7b
status: experimental
description: |
    Detects attempts of an attacker to enable core dumps for set-user-ID (SUID) processes by modifying the system file /proc/sys/fs/suid_dumpable, typically by setting its value to 1 or 2.
    Enabling this feature allows memory dumps (core dumps) of SUID pro…

title: Interesting Service Enumeration Via Sc.EXE
id: e83e8899-c9b2-483b-b355-5decc942b959
status: test
description: |
    Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe".
    Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
references:
    - https://www.n00py.io/2…

title: Access To Chromium Browsers Sensitive Files By Uncommon Applications
id: c5f37810-a85f-4186-81e9-33f23abb4141
status: test
description: |
    Detects file access requests to chromium based browser sensitive files by uncommon processes.
    Could indicate potential attempt of stealing sensitive information.
references:
    - Internal Research
author: X__Junior (Nextron Systems)
date: 2024-07…

title: Access To Browser Credential Files By Uncommon Applications
id: 91cb43db-302a-47e3-b3c8-7ede481e27bf
related:
    - id: 4b60e527-ec73-4b47-8cb3-f02ad927ca65
      type: similar
status: test
description: |
    Detects file access requests to browser credential stores by uncommon processes.
    Could indicate potential attempt of credential stealing.
    Requires heavy baselining before usage…

title: OpenCanary - MSSQL Login Attempt Via Windows Authentication
id: 6e78f90f-0043-4a01-ac41-f97681613a66
status: test
description: |
    Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/think…

title: OpenCanary - MySQL Login Attempt
id: e7d79a1b-25ed-4956-bd56-bd344fa8fd06
status: test
description: Detects instances where a MySQL service on an OpenCanary node has had a login attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/ope…

title: OpenCanary - MSSQL Login Attempt Via SQLAuth
id: 3ec9a16d-0b4f-4967-9542-ebf38ceac7dd
status: test
description: |
    Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf…

title: OpenCanary - REDIS Action Command Attempt
id: 547dfc53-ebf6-4afe-8d2e-793d9574975d
status: test
description: Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829f…

title: Linux Keylogging with Pam.d
id: 49aae26c-450e-448b-911d-b3c13d178dfc
status: test
description: Detect attempt to enable auditing of TTY input
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md
    - https://linux.die.net/man/8/pam_tty_audit
    - https://access.redhat.com/documentation/en-us/red_hat_e…

title: Potential Invoke-Mimikatz PowerShell Script
id: 189e3b02-82b2-4b90-9662-411eb64486d4
status: test
description: Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
references:
    - https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-in…

title: Live Memory Dump Using Powershell
id: cd185561-4760-45d6-a63e-a51325112cae
status: test
description: Detects usage of a PowerShell command to dump the live memory of a Windows machine
references:
    - https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps
author: Max Altgelt (Nextron Systems)
date: 2021-09-21
modified: 2022-12-25
tag…

title: HackTool - Rubeus Execution - ScriptBlock
id: 3245cd30-e015-40ff-a31d-5cadd5f377ec
related:
    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
      type: similar
status: test
description: Detects the execution of the hacktool Rubeus using specific command line flags
references:
    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
    - https://m0chan.github.io/2019/07/31/How-To-Attac…

title: HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
status: test
description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
references:
    - https://github.com/Porchetta-Industries/CrackMapExec
    - https://github.com/fortra/impacket/blo…

title: Potential Credential Dumping Attempt Using New NetworkProvider - CLI
id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
related:
    - id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
      type: similar
status: test
description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
references:
    - https://learn.microsof…

title: Microsoft IIS Service Account Password Dumped
id: 2d3cdeec-c0db-45b4-aa86-082f7eb75701
status: test
description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
references:
    - https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html
    - https://twitter.com/0gtweet/status/15888156610859171…

title: Microsoft IIS Connection Strings Decryption
id: 97dbf6e2-e436-44d8-abee-4261b24d3e41
status: test
description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
referenc…

title: Hacktool Execution - PE Metadata
id: 37c1333a-a0db-48be-b64b-7393b2386e3b
status: test
description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
references:
    - https://github.com/cube0x0
    - https://www.virustotal.com/gui/search/metadata%253ACube0x0/files
author: Florian Roth (Nextron Systems)
da…

title: PUA - Memory Dump Mount Via MemProcFS
id: 8a1b2c3d-4e5f-6789-abcd-ef1234567890
status: experimental
description: |
    Detects execution of MemProcFS a memory forensics tool with the '-device' parameter.
    MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures.
    Threat actors were seen abusing this utility to mount memo…

title: Suspicious SYSTEM User Process Creation
id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
status: test
description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
references:
    - Internal Research
    - https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
date: 2021-12-20
modi…

title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
related:
    - id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
      type: similar
status: experimental
description: |
    Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.
    These DLLs contain the MiniDumpWriteDump function, which can be abused…

title: Potentially Suspicious ODBC Driver Registered
id: e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4
status: test
description: Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location
references:
    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-23
modified: 2023-08…

title: Antivirus Password Dumper Detection
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
status: stable
description: |
    Detects a highly relevant Antivirus alert that reports a password dumper.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/?s=antivirus
    - https…

title: Hacktool Execution - Imphash
id: 24e3e58a-646b-4b50-adef-02ef935b9fc8
status: test
description: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-04
modified: 2024-11-23
tags:
    - attack.credential-access
    - attack.resourc…

title: HackTool - Rubeus Execution
id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
related:
    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
      type: similar
status: stable
description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
references:
    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
    - https://m0chan.github.io/2019/07/31/How-To-Attac…

title: Potential Credential Dumping Via LSASS Process Clone
id: c8da0dfd-4ed0-4b68-962d-13c9c884384e
status: test
description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
references:
    - https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/
    - https://twitter.com/Hexacorn/status/1420053502554951689
    - https://tw…

title: WCE wceaux.dll Access
id: 1de68c67-af5c-4097-9c85-fe5578e09e67
status: test
description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-14
modified: 2025-01-30
tags:
    - attack.cre…

title: Transferring Files with Credential Data via Network Shares - Zeek
id: 2e69f167-47b5-4ae7-a390-47764529eff5
related:
    - id: 910ab938-668b-401b-b08c-b596e80fdca5
      type: similar
status: test
description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credential…

title: DumpMinitool Execution
id: dee0a7a3-f200-4112-a99b-952196d81e42
status: test
description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"
references:
    - https://twitter.com/mrd0x/status/1511415432888131586
    - https://twitter.com/mrd0x/status/1511489821247684615
    - https://lolbas-project.github.io/lolbas/Othe…

title: Procdump Execution
id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20
status: test
description: Detects usage of the SysInternals Procdump utility
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
author: Florian Roth (Nextron Systems)
date: 2021-08-16
modified: 2023-02-28
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1003.001
    - attack.credential-ac…

title: Dumping Process via Sqldumper.exe
id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516
status: test
description: Detects process dump via legitimate sqldumper.exe binary
references:
    - https://twitter.com/countuponsec/status/910977826853068800
    - https://twitter.com/countuponsec/status/910969424215232518
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
author: Kirill Kirya…

title: Potentially Suspicious GrantedAccess Flags On LSASS
id: a18dd26b-6450-46de-8c91-9659150cf088
related:
    - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
      type: similar
status: test
description: Detects process access requests to LSASS process with potentially suspicious access flags
references:
    - https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rig…

title: Potential Credential Dumping Activity Via LSASS
id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
status: test
description: |
    Detects process access requests to the LSASS process with specific call trace calls and access masks.
    This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
references:
 …

title: Unsigned Image Loaded Into LSASS Process
id: 857c8db3-c89b-42fb-882b-f681c7cf4da2
status: test
description: Loading unsigned image (DLL, EXE) into LSASS process
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-10-22
modified: 2021-11-27
tags:
    - attack.credential-access
…

title: Potentially Suspicious AccessMask Requested From LSASS
id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76
status: test
description: Detects process handle on LSASS process with certain access mask
references:
    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
    - https://www.slideshare.net/heirhabarov/hunting-for…

title: Transferring Files with Credential Data via Network Shares
id: 910ab938-668b-401b-b08c-b596e80fdca5
related:
    - id: 2e69f167-47b5-4ae7-a390-47764529eff5
      type: similar
status: test
description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumpi…

title: LSASS Access From Non System Account
id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1
status: test
description: Detects potential mimikatz-like tools accessing LSASS from non system account
references:
    - https://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-06-20
modified: 2023-12-11
tags:
    - attack.credent…

title: Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
id: 0e277796-5f23-4e49-a490-483131d4f6e1
related:
    - id: bdc64095-d59a-42a2-8588-71fd9c9d9abc # Unsigned Loading
      type: similar
status: test
description: |
    Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process.
    The Dbghelp and Dbgcore DLLs export functions that allow for t…

title: Uncommon GrantedAccess Flags On LSASS
id: 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
related:
    - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
      type: obsolete
status: test
description: Detects process access to LSASS memory with uncommon access flags 0x410 and 0x01410
references:
    - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
    - https://on…

title: LSASS Access From Program In Potentially Suspicious Folder
id: fa34b441-961a-42fa-a100-ecc28c886725
status: test
description: Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder
references:
    - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
    - https://onedrive.live.com/view.aspx?resid…

title: Potential Credential Dumping Attempt Via PowerShell
id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5
related:
    - id: 3f07b9d1-2082-4c56-9277-613a621983cc
      type: obsolete
    - id: fb656378-f909-47c1-8747-278bf09f4f4f
      type: similar
status: test
description: Detects a PowerShell process requesting access to "lsass.exe", which can be indicative of potential credential dumping attempts
re…

title: PowerShell Get-Process LSASS in ScriptBlock
id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb
status: test
description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
references:
    - https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211
author: Florian Roth (Nextron Systems)
date: 2021-04…

title: Cred Dump Tools Dropped Files
id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
status: test
description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2025-10-2…

title: LSASS Process Memory Dump Creation Via Taskmgr.EXE
id: 69ca12af-119d-44ed-b50f-a47af0ebc364
status: test
description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
author: Swachchhanda Shrawan Poudel
date: 2023-10-19
references:
    - https://github.com/redcanaryco/atomic-red-te…

title: LSASS Process Dump Artefact In CrashDumps Folder
id: 6902955a-01b7-432c-b32a-6f5f81d8f625
status: test
description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
references:
    - https://github.com/deepi…

title: HackTool - CrackMapExec File Indicators
id: 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a
related:
    - id: 9433ff9c-5d3f-4269-99f8-95fc826ea489
      type: obsolete
status: test
description: Detects file creation events with filename patterns used by CrackMapExec.
references:
    - https://github.com/byt3bl33d3r/CrackMapExec/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-11
modif…

title: LSASS Process Memory Dump Files
id: a5a2d357-1ab8-4675-a967-ef9990a59391
related:
    - id: db2110f3-479d-42a6-94fb-d35bc1e46492
      type: obsolete
    - id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
      type: obsolete
status: test
description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user …

title: HackTool - SafetyKatz Dump Indicator
id: e074832a-eada-4fd7-94a1-10642b130e16
status: test
description: Detects default lsass dump filename generated by SafetyKatz.
references:
    - https://github.com/GhostPack/SafetyKatz
    - https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63
author: Markus Neis
date: 2018-07-24
modified: 2024-…

title: WerFault LSASS Process Memory Dump
id: c3e76af5-4ce0-4a14-9c9a-25ceb8fda182
status: test
description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
references:
    - https://github.com/helpsystems/nanodump
author: Florian Roth (Nextron Systems)
date: 2022-06-27
tags:
    - attack.credenti…

title: HackTool - Impacket File Indicators
id: 03f4ca17-de95-428d-a75a-4ee78b047256
related:
    - id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
      type: similar
status: experimental
description: Detects file creation events with filename patterns used by Impacket.
references:
    - https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/
    - https:…

title: Password Dumper Remote Thread in LSASS
id: f239b326-2f41-4d6b-9dfa-c846a60ef505
status: stable
description: |
    Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.
    The process in field Process is the malicious program. A single execution can lead to hundreds of events.
references:
    - https://jpcer…

title: Potential Credential Dumping Attempt Via PowerShell Remote Thread
id: fb656378-f909-47c1-8747-278bf09f4f4f
related:
    - id: 3f07b9d1-2082-4c56-9277-613a621983cc
      type: obsolete
    - id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5
      type: similar
status: test
description: Detects remote thread creation by PowerShell processes into "lsass.exe"
references:
    - https://speakerdeck.com/he…

title: HackTool - CrackMapExec Process Patterns
id: f26307d8-14cd-47e3-a26b-4b4769f24af6
status: test
description: Detects suspicious process patterns found in logs when CrackMapExec is used
references:
    - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
author: Florian Roth (Nextron Systems)
date: 2022-03-12
modified: 2023-02-13
tags:
    - attack.credential-a…

title: Renamed CreateDump Utility Execution
id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e
related:
    - id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
      type: similar
status: test
description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
references:
    - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-to…

title: Potential Windows Defender AV Bypass Via Dump64.EXE Rename
id: 129966c9-de17-4334-a123-8b58172e664d
status: test
description: |
    Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.
    Currently the rule is covering only usage of procdump but other utilities can be added in order to incre…

title: Time Travel Debugging Utility Usage
id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
related:
    - id: e76c8240-d68f-4773-8880-5c6f63595aaf
      type: derived
status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
    - https://lolbas-project.github.io/lolbas/Binarie…

title: LSASS Dump Keyword In CommandLine
id: ffa6861c-4461-4f59-8a41-578c39f3f23e
related:
    - id: a5a2d357-1ab8-4675-a967-ef9990a59391
      type: derived
status: test
description: |
    Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
references:
    - https://github.com/Hackndo/l…

title: CreateDump Process Dump
id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
related:
    - id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e
      type: similar
status: test
description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory
references:
    - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
    - https://twitter.com…

title: Process Memory Dump Via Comsvcs.DLL
id: 646ea171-dded-4578-8a4d-65e9822892e3
related:
    - id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c
      type: obsolete
status: test
description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
references:
    - https://twitter.com/shantanukhande/status/122934887429838…

title: HackTool - XORDump Execution
id: 66e563f9-1cbd-4a22-a957-d8b7c0f44372
status: test
description: Detects suspicious use of XORDump process memory dumping utility
references:
    - https://github.com/audibleblink/xordump
author: Florian Roth (Nextron Systems)
date: 2022-01-28
modified: 2023-02-08
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1003.001
    - attack.credential-acce…

title: Suspicious DumpMinitool Execution
id: eb1c4225-1c23-4241-8dd4-051389fde4ce
status: test
description: Detects suspicious ways to use the "DumpMinitool.exe" binary
references:
    - https://twitter.com/mrd0x/status/1511415432888131586
    - https://twitter.com/mrd0x/status/1511489821247684615
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/
author: Florian Roth (Nex…

title: Potential SysInternals ProcDump Evasion
id: 79b06761-465f-4f88-9ef2-150e24d3d737
status: test
description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
references:
    - https://twitter.com/mrd0x/status/1480785527901204481
author: Florian Roth (Nextron Systems)
date: 2022-01-11
modified: …

title: Potential Credential Dumping Via WER
id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3
status: test
description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass
references:
    - https://github.com/deepinstinct/Lsass-Shtinkering
    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentation…

title: HackTool - Doppelanger LSASS Dumper Execution
id: d474c8fe-bb69-4ea0-b7d9-f682b56d52d3
status: experimental
description: Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
references:
    - https://labs.yarix.com/2025/06/doppelganger-an-advanced-lsass-dumper-with-process-cloning/
    - https://githu…

title: HackTool - Mimikatz Execution
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
status: test
description: Detection well-known mimikatz command line arguments
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://tools.thehacker.recipes/mimikatz/modules
author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywor…

title: Potential Adplus.EXE Abuse
id: 2f869d59-7f6a-4931-992c-cce556ff2d53
status: test
description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/
    - https://twitter.com/nas_bench/status/15349…

title: PUA - Memory Dump Mount Via MemProcFS
id: 8a1b2c3d-4e5f-6789-abcd-ef1234567890
status: experimental
description: |
    Detects execution of MemProcFS a memory forensics tool with the '-device' parameter.
    MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures.
    Threat actors were seen abusing this utility to mount memo…

title: HackTool - WSASS Execution
id: 589ac73f-8e12-409c-964e-31a2f5775ae2
status: experimental
description: |
    Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's
    (Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
references:
    - https://github.com/TwoSevenOneT/WSASS
    - https://www.zerosalar…

title: Potential LSASS Process Dump Via Procdump
id: 5afee48e-67dd-4e03-a783-f74259dcf998
status: stable
description: |
    Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.
    This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.
    LSASS (Local Security Authority Subsyst…

title: Process Memory Dump via RdrLeakDiag.EXE
id: edadb1e5-5919-4e4c-8462-a9e643b02c4b
related:
    - id: 6355a919-2e97-4285-a673-74645566340d
      type: obsolete
status: test
description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory
references:
    - https://www.pureid.io/dumping-abusing-windows-credentials-part-1/
    - https:/…

title: HackTool - HandleKatz LSASS Dumper Execution
id: ca621ba5-54ab-4035-9942-d378e6fcde3c
status: test
description: Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
references:
    - https://github.com/codewhitesec/HandleKatz
author: Florian Roth (Nextron Systems)
date: 2022-08-18
modified: 2024…

title: PPL Tampering Via WerFaultSecure
id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
related:
    - id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c
      type: similar
    - id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
      type: similar
status: experimental
description: |
    Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions…

title: Process Access via TrolleyExpress Exclusion
id: 4c0aaedc-154c-4427-ada0-d80ef9c9deb6
status: test
description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
references:
    - https://twitter.com/_xpn_/status/1491557187168178176
    - https://www.youtube.com/watch?v=Ie831jF0bb0
author: Florian Ro…

title: HackTool - CreateMiniDump Execution
id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
status: test
description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
references:
    - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-a…

title: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
related:
    - id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
      type: similar
status: experimental
description: |
    Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace.
    These DLLs contain functions…

title: Lsass Memory Dump via Comsvcs DLL
id: a49fa4d5-11db-418c-8473-1e014a8dd462
status: test
description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
references:
    - https://twitter.com/shantanukhande/status/1229348874298388484
    - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/…

title: LSASS Memory Access by Tool With Dump Keyword In Name
id: 9bd012ee-0dff-44d7-84a0-aa698cfd87a3
status: test
description: Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
references:
    - https://twitter.com/_xpn_/status/1491557187168178176
    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-crede…

title: Remote LSASS Process Access Through Windows Remote Management
id: aa35a627-33fb-4d04-a165-d33b4afca3e8
status: stable
description: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
references:
    - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
author: Patryk Prauze - ING Tech
date: 2019-05-20
modified: 20…

title: HackTool - Generic Process Access
id: d0d2f720-d14f-448d-8242-51ff396a334e
status: test
description: Detects process access requests from hacktool processes based on their default image name
references:
    - https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158
    - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
aut…

title: LSASS Access From Potentially White-Listed Processes
id: 4be8b654-0c01-4c9d-a10c-6b28467fc651
status: test
description: |
    Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
references:
    - https://twitter.com/_xpn_/status/1491557187168178176
    - https://www…

title: Suspicious LSASS Access Via MalSecLogon
id: 472159c5-31b9-4f56-b794-b766faa8b0a7
status: test
description: Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.
references:
    - https://twitter.com/SBousseaden/status/1541920424635912196
    - https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules…

title: Credential Dumping Activity By Python Based Tool
id: f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9
related:
    - id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
      type: obsolete
    - id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
      type: obsolete
status: stable
description: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
references:
    -…

title: HackTool - HandleKatz Duplicating LSASS Handle
id: b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5
status: test
description: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
references:
    - https://github.com/codewhitesec/HandleKatz
author: Bhabesh Raj (rule), @thefLinkk
date: 2022-06-27
modified: 2023-11-28
tags:
    - attack.executio…

title: Credential Dumping Attempt Via WerFault
id: e5b33f7d-eb93-48b6-9851-09e1e610b6d7
status: test
description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
references:
    - https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70…

title: Suspicious Renamed Comsvcs DLL Loaded By Rundll32
id: 8cde342c-ba48-4b74-b615-172c330f2e93
status: test
description: Detects rundll32 loading a renamed comsvcs.dll to dump process memory
references:
    - https://twitter.com/sbousseaden/status/1555200155351228419
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
modified: 2023-02-17
tags:
    - attack.credential-access
    …

title: Time Travel Debugging Utility Usage - Image
id: e76c8240-d68f-4773-8880-5c6f63595aaf
status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
    - https://twitter.com/mattifestation/status/11963903…

title: Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
id: bdc64095-d59a-42a2-8588-71fd9c9d9abc
related:
    - id: 0e277796-5f23-4e49-a490-483131d4f6e1 # Suspicious Loading
      type: similar
status: test
description: |
    Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.
    Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API…

title: Mimikatz Use
id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
status: test
description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
references:
    - https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
dat…

title: LSASS Process Crashed - Application
id: a18e0862-127b-43ca-be12-1a542c75c7c5
status: experimental
description: |
    Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service).
    This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
references:
    - https://github.com/deepi…

title: Password Dumper Activity on LSASS
id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c
status: test
description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
references:
    - https://twitter.com/jackcr/status/807385668833968128
author: sigma
date: 2017-02-12
modified: 2022-10-09
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    pr…

title: Credential Dumping Tools Service Execution - Security
id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
related:
    - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
      type: derived
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
a…

title: LSASS Access Detected via Attack Surface Reduction
id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
status: test
description: Detects Access to LSASS Process
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction
author: Markus Neis
date: 2018-08-26
modified: 2022-08-13
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: window…

title: Credential Dumping Tools Service Execution - System
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavsk…

title: Lsass Full Dump Request Via DumpType Registry Settings
id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719
status: test
description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.
references:
    - https://github.com/deepinstinct/Lsass-Shtinkering
    - https://learn.m…

title: Antivirus Password Dumper Detection
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
status: stable
description: |
    Detects a highly relevant Antivirus alert that reports a password dumper.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/?s=antivirus
    - https…

title: HackTool - Dumpert Process Dumper Default File
id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
related:
    - id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
      type: derived
status: test
description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
references:
    - https://github.com/outflanknl/Dumpert
    - https://u…

title: HackTool - Credential Dumping Tools Named Pipe Created
id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
status: test
description: Detects well-known credential dumping tools execution via specific named pipe creation
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118…

title: HackTool - Inveigh Execution
id: b99a1518-1ad5-4f65-bc95-1ffff97a8fd0
status: test
description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
references:
    - https://github.com/Kevin-Robertson/Inveigh
    - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-24
modified: 202…

title: HackTool - SafetyKatz Execution
id: b1876533-4ed5-4a83-90f3-b8645840a413
status: test
description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name
references:
    - https://github.com/GhostPack/SafetyKatz
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-20
modified: 2023-02-04
tags:
    - attack.credential-access
    - attack.t1003.0…

title: HackTool - Dumpert Process Dumper Execution
id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
status: test
description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
references:
    - https://github.com/outflanknl/Dumpert
    - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
author: Florian Roth (Nextron Systems)
date: 2020-…

title: Potential Credential Dumping Via LSASS Process Clone
id: c8da0dfd-4ed0-4b68-962d-13c9c884384e
status: test
description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
references:
    - https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/
    - https://twitter.com/Hexacorn/status/1420053502554951689
    - https://tw…

title: HackTool - Windows Credential Editor (WCE) Execution
id: 7aa7009a-28b9-4344-8c1f-159489a390df
status: test
description: |
    Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
    It is often used by threat actors for credential dumping and lateral movement within comprom…

title: Windows Credential Editor Registry
id: a6b33c02-8305-488f-8585-03cb2a7763f2
status: test
description: Detects the use of Windows Credential Editor (WCE)
references:
    - https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s000…

title: Potential Credential Dumping Via LSASS SilentProcessExit Technique
id: 55e29995-75e7-451a-bef0-6225e2f13597
related:
    - id: 36803969-5421-41ec-b92f-8500f79c23b0
      type: similar
status: test
description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
references:
    - https://www.deepinstinct.com/2021/02/16/lsass-…

title: NotPetya Ransomware Activity
id: 79aeeb41-8156-4fac-a0cd-076495ab82a1
status: test
description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
references:
    - https://securelist.com/schroedingers-petya/78870/
    - https:/…

title: APT31 Judgement Panda Activity
id: 03e2746e-2b31-42f1-ab7a-eb39365b2422
status: test
description: Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
references:
    - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
author: Florian Roth (Nextron Systems)
date: 2019-02-21
modified: 2023-03-10
tags:
    - attack.colle…

title: Transferring Files with Credential Data via Network Shares - Zeek
id: 2e69f167-47b5-4ae7-a390-47764529eff5
related:
    - id: 910ab938-668b-401b-b08c-b596e80fdca5
      type: similar
status: test
description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credential…

title: Esentutl Gather Credentials
id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
status: test
description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
references:
    - https://twitter.com/vxunderground/status/1423336151860002816
    - https://thedfirreport.com/2021/08/01/bazarcall-to-cont…

title: Shadow Copies Creation Using Operating Systems Utilities
id: b17ea6f7-6e90-447e-a799-e6c0a493d6ce
status: test
description: Shadow Copies creation using operating systems utilities, possible credential access
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tu…

title: Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
id: a58353df-af43-4753-bad0-cd83ef35eef5
related:
    - id: 2afafd61-6aae-4df4-baed-139fa1f4c345
      type: derived
status: test
description: Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro…

title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
id: 2afafd61-6aae-4df4-baed-139fa1f4c345
status: test
description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
author: Thomas Patzke
date: 2019-01-16
modified: 2022-03-11
tags…

title: Ntdsutil Abuse
id: e6e88853-5f20-4c4a-8d26-cd469fd8d31f
status: test
description: Detects potential abuse of ntdsutil to dump ntds.dit database
references:
    - https://twitter.com/mgreen27/status/1558223256704122882
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
author: Nasreddine Bencherchali (Nextron Systems)
da…

title: Transferring Files with Credential Data via Network Shares
id: 910ab938-668b-401b-b08c-b596e80fdca5
related:
    - id: 2e69f167-47b5-4ae7-a390-47764529eff5
      type: similar
status: test
description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumpi…

title: NTDS.DIT Created
id: 0b8baa3f-575c-46ee-8715-d6f28cc7d33c
status: test
description: Detects creation of a file named "ntds.dit" (Active Directory Database)
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
    - attack.credential-access
    - attack.t1003.003
logsource:
    product: windows
    category: file_event
detection:
    se…

title: Possible Impacket SecretDump Remote Activity - Zeek
id: 92dae1ed-1c9d-4eff-a567-33acbd95b00e
status: test
description: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml'
references:
    - https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
author:…

title: Suspicious Get-ADDBAccount Usage
id: b140afd9-474b-4072-958e-2ebb435abd68
status: test
description: Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
references:
    - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
    - https://github.com/M…

title: Create Volume Shadow Copy with Powershell
id: afd12fed-b0ec-45c9-a13d-aa86625dac81
status: test
description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
references:
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom…

title: NTDS.DIT Creation By Uncommon Process
id: 11b1ed55-154d-4e82-8ad7-83739298f720
related:
    - id: 4e7050dd-e548-483f-b7d6-527ab4fa784d
      type: similar
status: test
description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
references:
    - https://stealthbits.com/blog/extracting-password-has…

title: Cred Dump Tools Dropped Files
id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
status: test
description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2025-10-2…

title: NTDS.DIT Creation By Uncommon Parent Process
id: 4e7050dd-e548-483f-b7d6-527ab4fa784d
related:
    - id: 11b1ed55-154d-4e82-8ad7-83739298f720
      type: similar
status: test
description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory
references:
    - https://www.ired.team/offensive-security/credential-access-and-credentia…

title: NTDS Exfiltration Filename Patterns
id: 3a8da4e0-36c1-40d2-8b29-b3e890d5172a
status: test
description: Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
references:
    - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb
    - https…

title: PUA - DIT Snapshot Viewer
id: d3b70aad-097e-409c-9df2-450f80dc476b
status: test
description: Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
references:
    - https://thedfirreport.com/2020/06/21/snatch-ransomware/
    - https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap
author: Furkan Caliskan (@caliskanfurkan_)
date:…

title: Sensitive File Dump Via Wbadmin.EXE
id: 8b93a509-1cb8-42e1-97aa-ee24224cdc15
status: test
description: |
    Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
    Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob…

title: Sensitive File Dump Via Print.EXE
id: 2fcda7e2-8c57-4904-86ac-37fc3157e09d
status: test
description: |
    Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM from the Windows directory in order to extract credentials, locally or remotely.
references:
    - https://www.microsof…

title: Sensitive File Recovery From Backup Via Wbadmin.EXE
id: 84972c80-251c-4c3a-9079-4f00aad93938
related:
    - id: 6fe4aa1e-0531-4510-8be2-782154b73b48
      type: derived
status: test
description: |
    Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
    Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credenti…

title: VolumeShadowCopy Symlink Creation Via Mklink
id: 40b19fa6-d835-400c-b301-41f3a2baacaf
status: stable
description: Shadow Copies storage symbolic link creation using operating systems utilities
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-10-22
modified: 2023-03-06
tags:…

title: Copying Sensitive Files with Credential Data
id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f
status: test
description: Files with well-known filenames (sensitive files with credential data) copying
references:
    - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windo…

title: Suspicious Process Patterns NTDS.DIT Exfil
id: 8bc64091-6875-4881-aaf9-7bd25b5dda08
status: test
description: Detects suspicious process patterns used in NTDS.DIT exfiltration
references:
    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
    - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
    - https://p…

title: Possible Impacket SecretDump Remote Activity
id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
status: test
description: Detect AD credential dumping using impacket secretdump HKTL
references:
    - https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
author: Samir Bousseaden, wagga
date: 2019-04-03
modified: 2022-08-11
tags:
    - atta…

title: Potential Russian APT Credential Theft Activity
id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee
status: stable
description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
references:
    - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
author: Florian Roth (Nextron Systems)
date: 2019-02-21
modified: 2023-03-08
tags:
    - at…

title: ADFS Database Named Pipe Connection By Uncommon Tool
id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3
status: test
description: |
    Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).
    Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.
references:
 …

title: Esentutl Steals Browser Information
id: 6a69f62d-ce75-4b57-8dce-6351eb55b362
status: test
description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
references:
    - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
    - https://redcanary.com/threat-detection-re…

title: Veeam Backup Database Suspicious Query
id: 696bfb54-227e-4602-ac5b-30d9d2053312
status: test
description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
references:
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
    -…

title: Crash Dump Created By Operating System
id: 882fbe50-d8d7-4e29-ae80-0648a8556866
related:
    - id: 2ff692c2-4594-41ec-8fcb-46587de769e0
      type: similar
status: experimental
description: Detects "BugCheck" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.
references:
    - https://www.sans.edu/cyber-research/from-crash-compr…

title: AWS EC2 VM Export Failure
id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
status: test
description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
references:
    - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
author: Diogo Braz
date: 2020-04-16
modified: 2022-10-05
t…

title: Cisco Collect Data
id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
status: test
description: Collect pertinent data from the configuration files
references:
    - https://blog.router-switch.com/2013/11/show-running-config/
    - https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm
    - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/c…

title: OpenCanary - SMB File Open Request
id: 22777c9e-873a-4b49-855f-6072ab861a52
status: test
description: Detects instances where an SMB service on an OpenCanary node has had a file open request.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138…

title: Script Interpreter Spawning Credential Scanner - Linux
id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
related:
    - id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
      type: similar
status: experimental
description: |
    Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
    This behavior is indicative of an attempt to f…

title: VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
id: b57ba453-b384-4ab9-9f40-1038086b4e53
status: test
description: Detects dump of credentials in VeeamBackup dbo
references:
    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
    - https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html
author: frack113
date: 2021-12-20
modified: 2023-0…

title: Script Interpreter Spawning Credential Scanner - Windows
id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
related:
    - id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
      type: similar
status: experimental
description: |
    Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
    This behavior is indicative of an attempt to…

title: SQLite Chromium Profile Data DB Access
id: 24c77512-782b-448a-8950-eddb0785fc71
status: test
description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windo…

title: SQLite Firefox Profile Data DB Access
id: 4833155a-4053-4c9c-a997-777fcea0baa7
status: test
description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefo…

title: Shai-Hulud NPM Package Malicious Exfiltration via Curl
id: efd2eb09-b72e-4a61-8dc7-b1382a1e8983
status: experimental
description: Detects potential Shai Hulud NPM package attack attempting to exfiltrate data via curl to external webhook sites.
references:
    - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
t…

title: Potential Conti Ransomware Database Dumping Activity Via SQLCmd
id: 2f47f1fd-0901-466e-a770-3b7092834a1b
status: test
description: Detects a command used by conti to dump database
references:
    - https://twitter.com/vxunderground/status/1423336151860002816?s=20 # The leak info not the files itself
    - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06…

title: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
id: cdfa73b6-3c9d-4bb8-97f8-ddbd8921f5c5
status: experimental
description: Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.
references:
    - https://pentestlab.blog/2022/03/21/unconstrained-delegation/
    - https://learn.microsoft.com/…

title: DirectorySearcher Powershell Exploitation
id: 1f6399cf-2c80-4924-ace1-6fcff3393480
status: test
description: Enumerates Active Directory to determine computers that are joined to the domain
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-u…

title: Suspicious Scan Loop Network
id: f8ad2e2c-40b6-4117-84d7-20b89896ab23
status: test
description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/…

title: Linux Remote System Discovery
id: 11063ec2-de63-4153-935e-b1a8b9e616f1
status: test
description: Detects the enumeration of other remote systems.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-22
modified: 2021-11-27
tags:
    - attack.discovery
    -…

title: Cisco Discovery
id: 9705a6a1-6db6-4a16-a987-15b7151e299b
status: test
description: Find information about network devices that is not stored in config files
references:
    - https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
    - attack.discovery
    - attack.t1083
    - attack.t1…

title: Active Directory Computers Enumeration With Get-AdComputer
id: 36bed6b2-e9a0-4fff-beeb-413a92b86138
status: test
description: Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.
references:
    - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da…

title: Nltest.EXE Execution
id: 903076ff-f442-475a-b667-4f246bcc203b
related:
    - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
      type: similar
    - id: eeb66bbb-3dde-4582-815a-584aee9fe6d1
      type: obsolete
status: test
description: Detects nltest commands that can be used for information discovery
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm
author…

title: Share And Session Enumeration Using Net.EXE
id: 62510e69-616b-4078-b371-847da438cc03
status: stable
description: Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.
references:
    - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f33…

title: PUA - Adidnsdump Execution
id: 26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160
status: test
description: |
    This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,
    Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
references:
    - https://github.com/redcanaryco/atom…

title: Net.EXE Execution
id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac
status: test
description: Detects execution of "Net.EXE".
references:
    - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
    - https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html
    - https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46b…

title: Macos Remote System Discovery
id: 10227522-8429-47e6-a301-f2b2d014e7ad
status: test
description: Detects the enumeration of other remote systems.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-22
modified: 2021-11-27
tags:
    - attack.discovery
    -…

title: PUA - AdFind Suspicious Execution
id: 9a132afa-654e-11eb-ae93-0242ac130002
related:
    - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
      type: similar
    - id: 75df3b17-8bcc-4565-b89b-c9898acef911
      type: obsolete
status: test
description: Detects AdFind execution with common flags seen used during attacks
references:
    - https://www.joeware.net/freetools/tools/adfind/
    - https://…

title: Renamed AdFind Execution
id: df55196f-f105-44d3-a675-e9dfb6cc2f2b
status: test
description: Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
references:
    - https://www.joeware.net/freetools/tools/adfind/
    - https://thedfirreport.com/2020/05/08/adfind-…

title: Webshell Detection With Command Line Keywords
id: bed2a484-9348-4143-8a8a-b801c979301c
status: test
description: Detects certain command line parameters often used during reconnaissance activity via web shells
references:
    - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
    - https://unit42.paloaltonetworks.com/bumblebee-websh…

title: Chopper Webshell Process Pattern
id: fa3c117a-bc0d-416e-a31b-0c0e80653efb
status: test
description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
references:
    - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
author: Florian Roth (Nextron Systems), M…

title: Webshell Hacking Activity Patterns
id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9
status: test
description: |
    Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
references:
    - https://youtu.be/7aemGhaE9ds?t=641
author: Florian Roth (Nextron Systems)
date: 2022-03-17
modif…

title: HackTool - NetExec Execution
id: 7638e5fe-600c-4289-a968-f49dd537ec7d
status: experimental
description: |
    Detects execution of the hacktool NetExec.
    NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration
    In enterprise environments, the use of NetExec is considered suspicious or potentially…

title: Potential Remote Desktop Tunneling
id: 8a3038e8-9c9d-46f8-b184-66234a160f6f
status: test
description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
references:
    - https://www.elastic.co/guide/en/security/current/potential-remo…

title: Psexec Execution
id: 730fc21b-eaff-474b-ad23-90fd265d4988
status: test
description: Detects user accept agreement execution in psexec commandline
references:
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: omkar72
date: 2020-10-30
modified: 2023-02-28
tags:
    - attack.execution
    - attack.lateral-movement
    - attac…

title: OpenCanary - FTP Login Attempt
id: 6991bc2b-ae2e-447f-bc55-3a1ba04c14e5
status: test
description: Detects instances where an FTP service on an OpenCanary node has had a login attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/openca…

title: OpenCanary - SSH Login Attempt
id: ff7139bc-fdb1-4437-92f2-6afefe8884cb
status: test
description: Detects instances where an SSH service on an OpenCanary node has had a login attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/openca…

title: OpenCanary - VNC Connection Attempt
id: 9db5446c-b44a-4291-8b89-fcab5609c3b3
status: test
description: Detects instances where a VNC service on an OpenCanary node has had a connection attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c744513…

title: OpenCanary - SMB File Open Request
id: 22777c9e-873a-4b49-855f-6072ab861a52
status: test
description: Detects instances where an SMB service on an OpenCanary node has had a file open request.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138…

title: OpenCanary - SSH New Connection Attempt
id: cd55f721-5623-4663-bd9b-5229cab5237d
status: test
description: Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7…

title: OpenCanary - SNMP OID Request
id: e9856028-fd4e-46e6-b3d1-10f7ceb95078
status: test
description: Detects instances where an SNMP service on an OpenCanary node has had an OID request.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencan…

title: HackTool - NetExec Execution
id: 7638e5fe-600c-4289-a968-f49dd537ec7d
status: experimental
description: |
    Detects execution of the hacktool NetExec.
    NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration
    In enterprise environments, the use of NetExec is considered suspicious or potentially…

title: Privilege Escalation via Named Pipe Impersonation
id: 9bd04a79-dabe-4f1f-a5ff-92430265c96b
related:
    - id: f35c5d71-b489-4e22-a115-f003df287317
      type: derived
status: test
description: Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.
references:
    - https://www.elastic.co/guide/en/security/current/privilege-…

title: New RDP Connection Initiated From Domain Controller
id: fda34293-718e-4b36-b018-38caab0d1209
status: test
description: Detects an RDP connection originating from a domain controller.
references:
    - Internal Research
author: Josh Nickels
date: 2024-05-10
tags:
    - attack.lateral-movement
    - attack.t1021
logsource:
    product: windows
    category: network_connection
detection:
    s…

title: New Remote Desktop Connection Initiated Via Mstsc.EXE
id: 954f0af7-62dd-418f-b3df-a84bc2c7a774
status: test
description: |
    Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server.
    Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
refe…

title: Port Forwarding Activity Via SSH.EXE
id: 327f48c1-a6db-4eb8-875a-f6981f1b0183
status: test
description: Detects port forwarding activity via SSH.exe
references:
    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-12
modified: 2024-03-05
tags:
    - attack.command-and-control
    - attack.lateral-moveme…

title: RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
id: 4b8f6d3a-9c5e-4f2a-a7d8-6b9c3e5f2a8d
related:
    - id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
      type: similar
status: experimental
description: |
    Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell.
    In PowerShell one-liner commands, the "SetAllowTSCon…

title: Denied Access To Remote Desktop
id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
status: test
description: |
  This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
  Often, this event can be generated by attackers when searching for available windows servers in the network.
references:
    - https://www…

title: OpenCanary - RDP New Connection Attempt
id: 598290cf-5932-45cd-9123-be1e05ab4f2e
status: experimental
description: Detects instances where an RDP service on an OpenCanary node has had a connection attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe1…

title: Publicly Accessible RDP Service
id: 1fc0809e-06bf-4de3-ad52-25e5263b7623
status: test
description: |
    Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.
author: Josh Brower @DefensiveDepth
date: 2020-08-22
modified: 2024-03-13
tags:
    - attack.lateral-movement
    - attack.t1021.001
logsource:
    product: zeek
    servic…

title: RDP to HTTP or HTTPS Target Ports
id: b1e5da3b-ca8e-4adf-915c-9921f3d85481
status: test
description: Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
references:
    - https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg
    - https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling
a…

title: RDP Over Reverse SSH Tunnel
id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
status: test
description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
references:
    - https://twitter.com/cyb3rops/status/1096842275437625346
author: Samir Bousseaden
date: 2019-02-16
modified: 2024-03-12
tags:
    - attack.command-and-control
    - attack.t1572
    -…

title: Outbound RDP Connections Over Non-Standard Tools
id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
status: test
description: |
    Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.
    An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
references:
    - https://portal.msrc.microsoft.co…

title: Potential Tampering With RDP Related Registry Keys Via Reg.EXE
id: 0d5675be-bc88-4172-86d3-1e96a4476536
status: test
description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
references:
    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise…

title: Suspicious RDP Redirect Using TSCON
id: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb
status: test
description: Detects a suspicious RDP session redirect using tscon.exe
references:
    - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
    - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73…

title: Suspicious Plink Port Forwarding
id: 48a61b29-389f-4032-b317-b30de6b95314
status: test
description: Detects suspicious Plink tunnel port forwarding to a local port
references:
    - https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
    - https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
author: Florian Roth (Nextron…

title: User Added to Remote Desktop Users Group
id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e
related:
    - id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups
      type: similar
    - id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
      type: similar
status: test
description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
refe…

title: RDP over Reverse SSH Tunnel WFP
id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41
status: test
description: Detects svchost hosting RDP termsvcs communicating with the loopback address
references:
    - https://twitter.com/SBousseaden/status/1096148422984384514
    - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel…

title: RDP Login from Localhost
id: 51e33403-2a37-4d66-a574-1fda1782cc31
status: test
description: RDP login with localhost source address may be a tunnelled login
references:
    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
author: Thomas Patzke
date: 2019-01-28
modified: 2022-10-09
tags:
    - attack.lateral-movement
    - car.2…

title: Hermetic Wiper TG Process Patterns
id: 2f974656-6d83-4059-bbdf-68ac5403422f
status: test
description: Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022
references:
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
author: Florian Roth (Nextron Systems…

title: SMB Spoolss Name Piped Usage
id: bae2865c-5565-470d-b505-9496c87d0c30
status: test
description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
references:
    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
    - https:…

title: Suspicious New-PSDrive to Admin Share
id: 1c563233-030e-4a07-af8c-ee0490a66d3a
status: test
description: Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T10…

title: PUA - CSExec Default Named Pipe
id: f318b911-ea88-43f4-9281-0de23ede628e
related:
    - id: 9e77ed63-2ecf-4c7b-b09d-640834882028
      type: obsolete
status: test
description: Detects default CSExec pipe creation
references:
    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
    - https://github.com/malcomvetter/CSExec
author: Nikita Nazarov, oscd.community, Nasred…