Note: Sometimes, you may have to customise the queries to your environment. Also, queries will only work if the data is available.
Credential Theft (MITRE ATT&CK: T1003, T1078)
Overview:
Credential theft involves attackers trying to steal valid user credentials through various means such as credential dumping, brute force, and network sniffing. Once credentials are obtained, adversaries use them for lateral movement or privilege escalation.
25 Example Queries for Credential Theft Detection:
Detect LSASS Memory Access (Mimikatz)Mimikatz is a well-known tool used to extract credentials from LSASS memory.
DeviceProcessEvents | where FileName == "mimikatz.exe" or ProcessCommandLine has "lsass" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Monitor Execution of Credential Dumping Tools (e.g., ProcDump)ProcDump can be used to dump LSASS for credential extraction.
DeviceProcessEvents | where FileName == "procdump.exe" and ProcessCommandLine has "lsass" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Detect Use of DCSync for Credential ReplicationAttackers may use DCSync to impersonate a domain controller and request password hashes.
DeviceProcessEvents | where FileName == "mimikatz.exe" and ProcessCommandLine has "lsadump::dcsync" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Track Unusual Access to SAM and SYSTEM Registry HivesCredential information is stored in the SAM and SYSTEM registry hives.
DeviceProcessEvents | where FileName == "reg.exe" and ProcessCommandLine has_any ("save SAM", "save SYSTEM") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Detect Use of NTDSUtil for Credential ExtractionNTDSUtil is used to interact with Active Directory databases and can be abused to dump credentials.
DeviceProcessEvents | where FileName == "ntdsutil.exe" and ProcessCommandLine has "IFM" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Monitor PowerShell Credential Dumping ScriptsPowerShell scripts such as Invoke-Mimikatz are used to dump credentials.
DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "Invoke-Mimikatz" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Track Unauthorized Access to Cached Credentials (VaultCmd)VaultCmd can be used to list and extract cached credentials.
DeviceProcessEvents | where FileName == "vaultcmd.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Detect Attempts to Dump Password Hashes via SAMR ProtocolAttackers may use the SAMR protocol to enumerate user accounts and dump password hashes.
DeviceNetworkEvents | where RemotePort == 445 and ActionType == "ConnectionSuccess" and ProcessCommandLine has "samr" | summarize count() by DeviceName, RemoteIP, AccountName
Monitor the Use of Tools Like LaZagne for Credential ExtractionLaZagne is a popular tool used to extract stored credentials.
DeviceProcessEvents | where FileName == "lazagne.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Detect Use of Windows Credential Editor (WCE)Windows Credential Editor is used to extract password hashes from memory.
DeviceProcessEvents | where FileName == "wce.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Track Unusual LSASS Process Access via Task ManagerDirect access to the LSASS process by unauthorized tools may indicate credential dumping.
DeviceProcessEvents | where FileName == "taskmgr.exe" and ProcessCommandLine has "lsass" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Monitor the Use of Net Commands for Account EnumerationNet user and net group commands are often used for account and group enumeration.
DeviceProcessEvents | where FileName == "net.exe" and ProcessCommandLine has_any ("user", "group") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Detect Brute Force Attacks by Tracking Multiple Failed LogonsMultiple failed logon attempts in a short time may indicate a brute force attack.
DeviceLogonEvents | where ActionType == "LogonFailed" | summarize count() by AccountName, DeviceName, RemoteIP | where count_ > 5
Monitor the Use of KERBROAST for Ticket ExtractionKERBROAST is used to extract and crack Kerberos ticket hashes.
DeviceProcessEvents | where FileName == "Invoke-Kerberoast.ps1" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Detect Unusual Access to LSA Secrets via Registry AccessLSA secrets stored in the registry can be accessed to extract credentials.
DeviceRegistryEvents | where RegistryKey contains "LSA" and ProcessCommandLine has_any ("save", "export") | summarize count() by DeviceName, InitiatingProcessAccountName, RegistryKey
Monitor the Use of Pass-the-Hash Techniques via NTLMPass-the-hash attacks leverage stolen NTLM hashes to authenticate without knowing the password.
DeviceLogonEvents | where AuthenticationPackage == "NTLM" | summarize count() by AccountName, DeviceName, RemoteIP
Detect Attempts to Access LSASS Memory (Handles, Threads)Attackers may attempt to access LSASS memory directly using various tools.
DeviceProcessEvents | where FileName in ("procdump.exe", "taskmgr.exe", "mimikatz.exe") and ProcessCommandLine has "lsass" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Monitor the Use of CrackMapExec for Credential AttacksCrackMapExec is a post-exploitation tool that can perform credential-related attacks.
DeviceProcessEvents | where FileName == "crackmapexec.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Track Use of BloodHound for Active Directory Credential EnumerationBloodHound is a tool used to map AD objects and identify paths for privilege escalation.
DeviceProcessEvents | where FileName == "bloodhound.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Detect Use of Windows Password Recovery Tools (e.g., Cain & Abel)Password recovery tools may be used to extract stored credentials.
DeviceProcessEvents | where FileName == "cain.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Monitor the Use of Remote Credential Guard TechniquesRemote Credential Guard is designed to protect against credential theft over RDP sessions.
DeviceProcessEvents | where FileName == "mstsc.exe" and ProcessCommandLine has "RemoteCredentialGuard" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Track Usage of Keyloggers for Credential CaptureKeyloggers may be used to capture credentials as they are typed.
DeviceProcessEvents | where FileName in ("keylogger.exe", "capture.exe") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Monitor Tools Like Responder for LLMNR/NBT-NS PoisoningResponder is used to capture credentials by poisoning LLMNR and NBT-NS requests.
DeviceProcessEvents | where FileName == "responder.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Detect Enumeration of Windows Credential Guard StatusWindows Credential Guard can be enumerated to determine if it is enabled.
DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "Get-WinEvent" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Track Attempts to Exploit Credential Guard VulnerabilitiesExploitation attempts may target Credential Guard to steal credentials.
DeviceProcessEvents | where FileName == "exploit.exe" and ProcessCommandLine has "CredentialGuard" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine