Credential Access (TA0006) Techniques
Credential Access techniques involve adversaries attempting to steal account credentials such as usernames and passwords.
1. T1003 - OS Credential Dumping
Objective: Detect attempts to extract credentials stored on the operating system, such as those in memory, registries, or files.
Detect LSASS Memory Dump
DeviceProcessEvents | where FileName == "procdump.exe" and ProcessCommandLine has "lsass" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Identify the use of tools like procdump.exe to dump the memory of the LSASS process.
Monitor for Mimikatz Execution
DeviceProcessEvents | where ProcessCommandLine has_any ("mimikatz", "sekurlsa::logonpasswords") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Detect the execution of Mimikatz, a tool commonly used for credential dumping.
Identify SAM Registry Hive Extraction
DeviceProcessEvents | where ProcessCommandLine has_any ("reg save", "sam", "SYSTEM") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Monitor for attempts to extract the SAM registry hive, which contains password hashes.
Detect NTDS.dit File Access
DeviceFileEvents | where FileName == "NTDS.dit" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountNamePurpose: Identify access to the NTDS.dit file, which stores Active Directory credentials.
Monitor for Use of Volume Shadow Copy Service (VSS)
DeviceProcessEvents | where ProcessCommandLine has_any ("vssadmin", "shadowcopy", "ntds.dit") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Detect the use of VSS to copy the NTDS.dit file or other sensitive files.
Identify Use of DCSync to Replicate Domain Credentials
DeviceProcessEvents | where ProcessCommandLine has "dcsync" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Monitor for DCSync attacks that attempt to replicate domain credentials from a domain controller.
Detect Use of CrackMapExec
DeviceProcessEvents | where ProcessCommandLine has "CrackMapExec" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Identify the use of CrackMapExec, a tool often used for credential dumping and lateral movement.
Monitor for Unauthorized Access to LSASS
DeviceProcessEvents | where FileName == "lsass.exe" and InitiatingProcessCommandLine has_any ("mimikatz", "procdump", "taskmgr", "process hacker") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Detect unauthorized processes accessing the LSASS process.
Identify Suspicious Registry Reads
DeviceRegistryEvents | where RegistryKey has_any ("HKLM\\SAM", "HKLM\\SYSTEM") and InitiatingProcessFileName != "services.exe" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, InitiatingProcessAccountNamePurpose: Monitor for unauthorized registry reads that could indicate credential dumping.
Detect Password Extraction via PowerShell
DeviceProcessEvents | where ProcessCommandLine has "powershell" and ProcessCommandLine has_any ("Get-ADReplAccount", "Get-Credential", "Export-Credential") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Identify PowerShell commands that attempt to extract or export credentials.
2. T1110 - Brute Force
Objective: Detect attempts to gain unauthorized access to accounts by systematically guessing passwords.
Detect Multiple Failed Logon Attempts
IdentityLogonEvents | where LogonResult == "Failed" | summarize FailedAttempts = count() by AccountName, DeviceName | where FailedAttempts > 10 | project Timestamp, AccountName, DeviceName, FailedAttemptsPurpose: Identify accounts experiencing multiple failed logon attempts, which may indicate brute force attempts.
Monitor for Suspicious RDP Logon Failures
IdentityLogonEvents | where LogonType == "RemoteInteractive" and LogonResult == "Failed" | summarize FailedAttempts = count() by AccountName, DeviceName | where FailedAttempts > 5 | project Timestamp, AccountName, DeviceName, FailedAttemptsPurpose: Detect failed RDP logon attempts that may be part of a brute force attack.
Identify Brute Force Attempts on Service Accounts
IdentityLogonEvents | where AccountName startswith "svc_" and LogonResult == "Failed" | summarize FailedAttempts = count() by AccountName, DeviceName | where FailedAttempts > 5 | project Timestamp, AccountName, DeviceName, FailedAttempts`Purpose: Monitor for brute force attempts targeting service accounts.
Detect SSH Brute Force Attempts
DeviceNetworkEvents | where RemotePort == 22 and ActionType == "NetworkSessionDenied" | summarize FailedAttempts = count() by RemoteIP, DeviceName | where FailedAttempts > 10 | project Timestamp, RemoteIP, DeviceName, FailedAttemptsPurpose: Identify SSH brute force attempts based on denied network sessions.
Monitor for Brute Force Attempts Against Local Admin Accounts
IdentityLogonEvents | where AccountName == "Administrator" and LogonResult == "Failed" | summarize FailedAttempts = count() by AccountName, DeviceName | where FailedAttempts > 3 | project Timestamp, AccountName, DeviceName, FailedAttemptsPurpose: Detect brute force attempts targeting the local Administrator account.
Identify Use of Automated Brute Force Tools
DeviceProcessEvents | where ProcessCommandLine has_any ("Hydra", "Medusa", "Ncrack") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Monitor for the execution of automated brute force tools.
Detect Unusual Account Lockouts
IdentityLogonEvents | where LogonResult == "AccountLocked" | summarize LockoutCount = count() by AccountName, DeviceName | where LockoutCount > 1 | project Timestamp, AccountName, DeviceName, LockoutCountPurpose: Identify accounts that have been locked out due to repeated failed logon attempts.
Monitor for Failed Logons Across Multiple Devices
IdentityLogonEvents | where LogonResult == "Failed" | summarize FailedAttempts = count() by AccountName | where FailedAttempts > 10 | project Timestamp, AccountName, FailedAttemptsPurpose: Detect failed logon attempts occurring across multiple devices, which may indicate distributed brute force attacks.
Identify Unusual Logon Attempts by Non-Admin Accounts
IdentityLogonEvents | where AccountName has_not_any ("admin", "administrator") and LogonResult == "Failed" | summarize FailedAttempts = count() by AccountName, DeviceName | where FailedAttempts > 5 | project Timestamp, AccountName, DeviceName, FailedAttemptsPurpose: Monitor for brute force attempts targeting non-administrative accounts.
Detect Brute Force Attempts on Remote Access Services
DeviceNetworkEvents | where RemotePort in (3389, 22, 443) and ActionType == "NetworkSessionDenied" | summarize FailedAttempts = count() by RemoteIP, DeviceName | where FailedAttempts > 10 | project Timestamp, RemoteIP, DeviceName, FailedAttemptsPurpose: Identify brute force attempts targeting remote access services such as RDP, SSH, or VPN.
3. T1555 - Credentials from Password Stores
Objective: Detect attempts to access or extract credentials stored in password stores or credential managers.
Detect Access to Windows Credential Manager
DeviceProcessEvents | where ProcessCommandLine has "cmdkey" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Identify attempts to access credentials stored in the Windows Credential Manager using cmdkey.
Monitor for Access to the Windows Vault
DeviceFileEvents | where FolderPath has "C:\\Users\\%USERNAME%\\AppData\\Local\\Microsoft\\Vault" and FileOperation == "Read" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountNamePurpose: Detect attempts to access files within the Windows Vault directory.
Identify Use of Browsing Data Extraction Tools
DeviceProcessEvents | where ProcessCommandLine has_any ("WebBrowserPassView", "ChromePass", "FirefoxDecrypt") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Monitor for the execution of tools designed to extract credentials from web browsers.
Detect Access to LSA Secrets
DeviceProcessEvents | where ProcessCommandLine has "secretsdump.py" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Identify attempts to dump LSA secrets using tools like secretsdump.py.
Monitor for PowerShell Credential Dumping Commands
DeviceProcessEvents | where ProcessCommandLine has "powershell" and ProcessCommandLine has_any ("Get-Credential", "Export-Credential") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Detect PowerShell commands attempting to dump or export credentials.
Identify Suspicious Access to Keychain on macOS (if applicable)
DeviceProcessEvents | where ProcessCommandLine has "security find-generic-password" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Monitor for suspicious access to the macOS Keychain, which stores user credentials.
Detect Access to Saved Passwords in Web Browsers
DeviceFileEvents | where FolderPath has_any ("\\AppData\\Local\\Google\\Chrome\\User Data", "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") and FileOperation == "Read" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountNamePurpose: Identify attempts to access files associated with saved passwords in web browsers.
Monitor for Unusual Access to DPAPI Master Keys
DeviceFileEvents | where FolderPath has "C:\\Users\\%USERNAME%\\AppData\\Roaming\\Microsoft\\Protect" and FileOperation == "Read" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountNamePurpose: Detect access to DPAPI (Data Protection API) master keys, which are used to protect stored credentials.
Identify Access to Password-Protected Archives
DeviceFileEvents | where FileExtension in (".zip", ".rar", ".7z") and ProcessCommandLine has "password" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountNamePurpose: Monitor for attempts to access or extract credentials from password-protected archives.
Detect Access to Credential Files in Remote Desktop Clients
DeviceFileEvents | where FolderPath has "C:\\Users\\%USERNAME%\\AppData\\Local\\Microsoft\\Remote Desktop" and FileOperation == "Read" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountNamePurpose: Identify access to credential files stored by Remote Desktop clients.
4. T1552 - Unsecured Credentials
Objective: Detect attempts to locate or use unsecured credentials, such as plaintext passwords or keys, stored in files or environment variables.
Detect Access to Plaintext Credential Files
DeviceFileEvents | where FileExtension in (".txt", ".log", ".conf", ".ini") and FileName has_any ("password", "credentials", "creds") | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountNamePurpose: Identify access to files that may contain plaintext credentials.
Monitor for Environment Variables Containing Credentials
DeviceProcessEvents | where ProcessCommandLine has_any ("$env:AWS_SECRET_ACCESS_KEY", "$env:AZURE_CLIENT_SECRET") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Detect commands that access environment variables containing credentials.
Identify Access to SSH Private Keys
DeviceFileEvents | where FileExtension == ".pem" or FileName contains "id_rsa" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountNamePurpose: Monitor for access to SSH private keys that may be stored insecurely.
Detect Access to Cloud Provider Credential Files
DeviceFileEvents | where FileName has_any ("aws_credentials", "azure_credentials", "gcloud_credentials.json") | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountNamePurpose: Identify attempts to access cloud provider credential files.
Monitor for Access to Hardcoded Credentials in Scripts
DeviceFileEvents | where FileExtension in (".ps1", ".sh", ".bat") and FileContent contains "password" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountNamePurpose: Detect access to scripts that may contain hardcoded credentials.
Identify Use of Commands to Dump Stored Credentials
DeviceProcessEvents | where ProcessCommandLine has_any ("gpg --decrypt", "openssl rsa") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Monitor for the use of commands that could decrypt stored credentials.
Detect Access to Credential Files in Version Control
DeviceFileEvents | where FolderPath has_any (".git", ".svn") and FileName contains "credentials" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountNamePurpose: Identify access to credential files stored in version control systems.
Monitor for Access to SQL Connection Strings
DeviceFileEvents | where FileExtension in (".config", ".json", ".xml") and FileContent contains "ConnectionString" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName_Purpose_: Detect access to configuration files that may contain SQL connection strings with embedded credentials.9. Identify Download of Publicly Exposed Credential Files
DeviceNetworkEvents | where RemoteUrl contains "/secrets/" or "/credentials/" | project Timestamp, DeviceName, RemoteUrl, InitiatingProcessAccountNamePurpose: Monitor for downloads from URLs that may expose unsecured credentials.
Detect Unencrypted Passwords Stored in Browser Extensions
DeviceFileEvents | where FolderPath has_any ("Chrome\\Extensions", "Firefox\\Profiles") and FileContent contains "password" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountNamePurpose: Identify access to browser extensions that may store unencrypted passwords.
5. T1111 - Two-Factor Authentication Interception
Objective: Detect attempts to intercept or bypass two-factor authentication (2FA) mechanisms.
Detect Attempts to Access 2FA Backup Codes
DeviceFileEvents | where FileName has "2fa_backup_codes" and FileOperation == "Read" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountNamePurpose: Identify attempts to access files containing 2FA backup codes.
Monitor for Unusual 2FA Push Notifications
DeviceNetworkEvents | where RemoteIP has_any ("authy.com", "duosecurity.com", "google.com") and RequestMethod == "POST" | project Timestamp, DeviceName, RemoteIP, RequestMethod, InitiatingProcessAccountNamePurpose: Detect suspicious 2FA push notifications that may indicate interception.
Identify Phishing Attacks Targeting 2FA Credentials
DeviceNetworkEvents | where RemoteUrl has_any ("2fa", "auth", "otp") and RequestMethod == "POST" | project Timestamp, DeviceName, RemoteUrl, InitiatingProcessAccountNamePurpose: Monitor for phishing attempts that target 2FA credentials.
Detect Access to OTP Generator Apps
DeviceProcessEvents | where ProcessCommandLine has_any ("Google Authenticator", "Authy", "Microsoft Authenticator") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Identify attempts to access or interact with OTP generator apps.
Monitor for Unusual 2FA Verification Requests
DeviceNetworkEvents | where RemoteIP in ("216.58.0.0/16", "23.45.0.0/16") and RequestMethod == "POST" | project Timestamp, DeviceName, RemoteIP, RequestMethod, InitiatingProcessAccountNamePurpose: Detect unusual or repeated 2FA verification requests that may indicate interception attempts.
Identify Attempts to Modify 2FA Settings
DeviceProcessEvents | where ProcessCommandLine has_any ("disable_2fa", "remove_otp", "change_auth_method") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Monitor for attempts to disable or modify 2FA settings.
Detect Use of Tools for 2FA Interception
DeviceProcessEvents | where ProcessCommandLine has_any ("evilginx", "Modlishka", "man-in-the-middle") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Identify the use of tools designed to intercept 2FA tokens.
Monitor for Access to 2FA Secret Keys
DeviceFileEvents | where FileName contains "otp_secret" and FileOperation == "Read" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountNamePurpose: Detect access to files containing 2FA secret keys.
Identify Access to SIM Cards or Mobile Devices
DeviceProcessEvents | where ProcessCommandLine has_any ("SIM", "phone", "mobile device") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Monitor for attempts to intercept 2FA by accessing SIM cards or mobile devices.
Detect Cloning or Reprovisioning of 2FA Devices
DeviceProcessEvents | where ProcessCommandLine has_any ("clone_device", "reprovision", "generate_otp") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Identify attempts to clone or reprovision devices used for generating 2FA codes.
6. T1528 - Steal Application Access Token
Objective: Detect attempts to steal or use application access tokens to gain unauthorized access to resources.
Detect Unusual Access to OAuth Tokens
DeviceFileEvents | where FileName contains "oauth" and FileOperation == "Read" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountNamePurpose: Identify attempts to access OAuth tokens stored on the system.
Monitor for Use of Stolen Access Tokens
DeviceNetworkEvents | where RemoteUrl has_any ("token", "access_token") and RequestMethod == "POST" | project Timestamp, DeviceName, RemoteUrl, InitiatingProcessAccountNamePurpose: Detect the use of stolen access tokens to authenticate API requests.
Identify Access to Web Browser Session Tokens
DeviceFileEvents | where FolderPath has_any ("\\AppData\\Local\\Google\\Chrome\\User Data", "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") and FileName contains "session" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountNamePurpose: Monitor for access to files containing web browser session tokens.
Detect Token Injection Attempts
DeviceProcessEvents | where ProcessCommandLine has "Invoke-RestMethod" and ProcessCommandLine has "Authorization: Bearer" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Identify attempts to inject stolen tokens into API requests.
Monitor for Access Token Replay Attacks
DeviceNetworkEvents | where RemoteUrl has "api" and RequestHeaders contains "Authorization: Bearer" | project Timestamp, DeviceName, RemoteUrl, RequestHeaders, InitiatingProcessAccountNamePurpose: Detect replay of stolen access tokens in API requests.
Identify Unusual Use of JWT Tokens
DeviceProcessEvents | where ProcessCommandLine has "jwt" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Monitor for suspicious usage of JWT (JSON Web Tokens) which might indicate token theft.
Detect Unauthorized Access to Cloud Provider Tokens
DeviceFileEvents | where FileName has_any ("gcloud", "aws", "azure") and FileOperation == "Read" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountNamePurpose: Identify unauthorized access to cloud provider tokens stored on the system.
Monitor for Attempts to Export Access Tokens
DeviceProcessEvents | where ProcessCommandLine has_any ("export_token", "extract_token") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Detect attempts to export or extract access tokens from applications.
Identify Suspicious OAuth Token Refresh Requests
DeviceNetworkEvents | where RemoteUrl has "refresh_token" and RequestMethod == "POST" | project Timestamp, DeviceName, RemoteUrl, InitiatingProcessAccountNamePurpose: Monitor for unusual or repeated OAuth token refresh requests.
Detect Malicious Token Exchange Processes
DeviceProcessEvents | where ProcessCommandLine has_any ("token_exchange", "exchange_token") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNamePurpose: Identify attempts to perform token exchange processes that may be part of an attack.
Last updated