Detection

Keylogging

Keylogging is a method of capturing user keystrokes, which can be used to steal sensitive information such as usernames, passwords, credit card numbers, and other confidential data. Attackers use keyloggers to gain unauthorized access to accounts, systems, and networks, leading to financial loss, data breaches, and identity theft.

Event ID 4688 (A new process has been created): This event logs process creation events, including details like the process name and command line arguments. Monitoring this event can help identify:

  • Known Keyloggers: Look for the creation of processes associated with known keylogging software or those with suspicious names or characteristics.

  • Processes Launched from Unusual Locations: Be wary of processes launched from temporary directories, user profiles, or other non-standard locations.

  • Suspicious Command Lines: Examine command lines for indicators of keylogging activity, such as arguments related to hooking keyboard input or capturing data.

Event ID 4657 (A registry value was modified): Keyloggers often modify registry keys for persistence or configuration. Monitor changes to registry keys related to keyboard layouts, drivers, or accessibility features, as keyloggers might modify these to intercept keystrokes. Look for modifications made by suspicious processes or users.

Sysmon Event ID 6 (Driver loaded): Some keyloggers function as kernel-mode drivers to gain low-level access to keyboard input. Monitor for the loading of new or unknown drivers, especially those related to keyboard or input devices. Check for unusual driver names, descriptions, or publishers.

Sysmon Event ID 10 (Process access): This event logs when a process accesses another process. It can help detect keyloggers that inject code into other processes to capture keystrokes. Look for suspicious processes (identified through Event ID 4688) accessing processes like explorer.exe or winlogon.exe with PROCESS_VM_WRITE or PROCESS_VM_OPERATION rights, which could be indicative of code injection for keylogging.

Credentials from Web Browsers

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

Event ID 4656 (A handle to an object was requested): This event logs whenever a process attempts to open a file or directory. For browser credential theft, you'd focus on access requests to:

  • Browser profile directories (e.g., AppData\Local\Google\Chrome\User Data)

  • Specific files like Login Data (Chrome) or logins.json (Firefox) where credentials are often stored.

  • Pay close attention to processes that are not the web browser itself making these requests.

Event ID 4663 (An attempt was made to access an object): This event gives you more granular details than 4656. It shows:

  • The type of access: Was it a read operation (likely for stealing credentials)?

  • The process involved: Was it a suspicious process or a legitimate browser component?

  • Access mask: This technical detail tells you exactly what kind of access was requested.

Sysmon Event ID 10 (ProcessAccess): This Sysmon event goes beyond file access. It logs when one process interacts with another process. In the context of credential theft, this is crucial. Keep an eye on events where: A known credential dumping tool (like Mimikatz) accesses your browser process, or any process that shouldn't be interacting with the browser suddenly gains access.

LSASS Memory

Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory.

Event ID 4688 (A new process has been created): This event can indirectly reveal credential dumping attempts. Monitor for the creation of processes known for credential theft (e.g., mimikatz.exe, procdump.exe) or unusual processes launched by LSASS.

Event ID 4697 (A service was installed in the system): Attackers might install malicious services that interact with LSASS. Look for the installation of unknown or suspicious services.

Sysmon Event ID 10 (ProcessAccess): This event is a cornerstone for detecting LSASS attacks. It logs when a process accesses another process. Look for the following patterns:

  • Processes with an unknown reputation accessing LSASS.

  • Unusual processes accessing LSASS.

  • Processes accessing LSASS with specific access rights (e.g., PROCESS_VM_READ for reading memory).

Credentials in Files

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

Event ID 4656 (A handle to an object was requested): This event logs every time a process tries to access a file or directory, whether it's successful or not. For credential hunting, you'd focus on access attempts to common credential storage locations:

  • User Profiles: Look for processes accessing files like credentials.txt or folders like AppData\Roaming\Microsoft\Credentials.

  • Configuration Files: Processes reading .config, .ini, or other configuration files could be seeking embedded passwords.

  • Shared Drives: Unusual access patterns (e.g., many files read in rapid succession) on network shares could signal a credential search.

Event ID 4663 (An attempt was made to access an object): This event is the next step after 4656. It confirms that the access attempt was successful and tells you exactly what happened (read, write, etc.). Look for:

  • Processes Reading Sensitive Files: Focus on read accesses to credential-related files by processes that shouldn't be touching them (e.g., cmd.exe reading a config file).

  • Repeated Accesses: A single read might be legitimate, but multiple reads from the same file or directory by the same process could be a sign of data collection.

Event ID 4688 (A new process has been created): This event logs every new process that starts, including who started it (parent process) and what it's trying to do (command line).

  • Credential Dumping Tools: Watch for the launch of known tools like Mimikatz or custom scripts with suspicious names.

  • Unexpected Process Launches: A sudden cmd.exe or powershell.exe process from an unusual parent (like a web browser) could indicate a compromised application being used to run credential-stealing commands.

  • Command Line Clues: Scrutinize the command line arguments for keywords like "password," "creds," or even file paths to common storage locations.

Credentials from Password Stores

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.

Event ID 4656 (A handle to an object was requested): This event is triggered when a process attempts to open a file or registry key. It can be used to detect attempts to access password storage locations, such as the Windows Credential Manager or the LSA Secrets. Look for Event ID 4656 events where the object accessed is a file or registry key known to store passwords. For example, you could look for events where the object path contains the strings "Credential Manager", "LSA Secrets", or "NTOSKNT".

Event ID 4663 (An attempt was made to access an object): This event is similar to Event ID 4656, but it is triggered when a process attempts to access an object that it does not have permission to access. This can be used to detect attempts to access password storage locations that are protected by access control lists (ACLs). Look for Event ID 4663 events where the object accessed is a file or registry key known to store passwords. Additionally, look for events where the access request was denied.

Event ID 4657 (A registry value was modified): This event is triggered when a process modifies a registry value. It can be used to detect attempts to modify registry keys that store passwords. For example, you could look for events where the registry path contains the strings "Credential Manager", "LSA Secrets", or "NTOSKNT". Additionally, look for events where the value data contains sensitive information, such as usernames or passwords.

Event ID 4688 (A new process has been created): This event is triggered when a process accesses a privileged object, such as a security descriptor or an object that grants access to other objects. It can be used to detect attempts to access password storage locations that are protected by security descriptors. Look for Event ID 4688 events where the object accessed is a file or registry key known to store passwords. Additionally, look for events where the access request was granted.

Brute Force

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism

Event ID 4625: "An account failed to log on." This is the most crucial event for brute force detection. A high frequency of this event from a single source IP or for a specific user account is a strong indicator of brute force attempts.

Event ID 4624: "An account was successfully logged on." While a successful login isn't always malicious, it's important to monitor this event in conjunction with Event ID 4625 to see if a successful login follows a series of failed attempts. This could indicate a successful brute force attack.

Event ID 4776: "The domain controller failed to validate the credentials for an account." This event is similar to Event ID 4625 but occurs specifically on domain controllers. It's helpful for detecting brute force attempts against Active Directory accounts.

Event ID 4740: "A user account was locked out." This event indicates that an account has been locked after exceeding the maximum number of failed login attempts. While it's a security measure, it also signals a potential brute force attack in progress.

OS Credential Dumping

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.

Event ID 4672: "Special privileges assigned to new logon." Many credential dumping tools require elevated privileges to access sensitive system processes and memory spaces. Monitor for unexpected or unusual accounts (especially non-administrative accounts) being assigned special privileges like "Debug programs," "Act as part of the operating system," or "Impersonate a client after authentication." Correlate this event with the execution of known credential dumping tools or suspicious processes.

Event ID 4688: "A new process has been created." This event logs process creation details, including the command line used. Look for the creation of processes commonly associated with credential dumping (e.g., Mimikatz, ProcDump) or any unusual processes with command lines that suggest interaction with LSASS (Local Security Authority Subsystem Service), which stores credentials.

Sysmon Event ID 10: "Process access." This event records when a process accesses another process. Credential dumping tools often need to interact with the LSASS process to extract credentials. Monitor for suspicious processes accessing the LSASS process with permissions that allow for reading or writing memory. This can be a strong indicator of credential theft in progress.

Security Account Manager (SAM)

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host.

Event ID 4657: A registry value was modified: The SAM database is linked to registry keys. Any attempt to modify these keys (e.g., by tools trying to extract the SAM) will trigger this event. Monitor for modifications under the HKLM\SAM registry hive, particularly in subkeys related to user accounts and passwords. Look for suspicious process names modifying these keys.

Event ID 4663: An attempt was made to access an object: This event logs attempts to access files or registry keys. Unauthorized access to the SAM file (C:\Windows\System32\config\SAM) or its corresponding registry keys could indicate credential theft. Focus on access attempts from unusual processes or users, especially if the access mask indicates an attempt to read or modify the SAM data.

Event ID 4688: A new process has been created: This event is key for detecting the launch of any process, including those used for credential dumping. Monitor for the creation of known credential dumping tools (e.g., Mimikatz, pwdump) or any suspicious process that might interact with the SAM file or registry keys.

Event ID 4672: Special privileges assigned to new logon: Many credential dumping tools require elevated privileges (like "Debug programs") to access sensitive system data, including the SAM database. Monitor for this event with a focus on unusual user accounts (especially non-administrative accounts) being granted such privileges, especially when followed by other suspicious activities.

Sysmon Event ID 10: Process access: This event logs when a process accesses another process. Credential dumping tools often need to interact with the lsass.exe process, which handles authentication and stores credentials. Monitor for suspicious processes (identified through Event ID 4688 or other means) accessing lsass.exe with permissions that allow reading or writing memory. This is a strong indicator of potential credential dumping.

LSA Secrets

Adversaries with SYSTEM access to a host may attempt to escalate privileges by accessing Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts. LSA secrets are stored in the registry. LSA secrets can also be dumped from memory.

Event ID 4663 (An attempt was made to access an object): This event logs every instance where a process accesses an object, whether successful or not. This includes access to the LSA Secrets portion of the registry, where sensitive credentials are stored. Look for events where the Object Name includes references to LSA Secrets, like "\Registry\Machine\Security\Policy\Secrets". The Accesses field will detail the type of access attempted (e.g., read, write, etc.). Unauthorized access types like ReadControl or WriteDac are particularly suspicious. Check if the account performing the access is indeed the SYSTEM account or a process running under its context.

Event ID 4656 (A handle to an object was requested): This event precedes Event ID 4663 and details the request for a handle to an object. While it doesn't confirm actual access, it provides additional context. Similar to Event ID 4663, look for instances where the Object Name relates to LSA Secrets and the Account Name is the SYSTEM account. The Access Mask field can also give clues about the type of access requested.

Sysmon Event ID 10 (Process access): This event provides detailed information about process interactions. In the context of LSA secrets, it's crucial for identifying when a process accesses the Local Security Authority (LSA) process (lsass.exe), which is responsible for managing these secrets. SourceProcessGUID: The GUID of the process accessing LSASS. If it's a process running with SYSTEM privileges, this should raise a red flag. TargetProcessGUID: Verify that this GUID corresponds to the lsass.exe process. GrantedAccess: Pay close attention to access rights like PROCESS_VM_READ or PROCESS_QUERY_INFORMATION, which could indicate an attempt to read the memory space of LSASS where secrets might be stored.

Password Spraying

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. This is done to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.

Event ID 4625: An account failed to log on. This event is the cornerstone of password spraying detection. Each failed login attempt is recorded, providing crucial details like the username, source IP address, and timestamp. Indicators of Password Spraying:

  • Multiple Failed Logins from a Single IP: A hallmark of password spraying is numerous failed login attempts originating from the same IP address within a short timeframe.

  • Different Usernames per Attempt: Attackers will cycle through various usernames, typically targeting common ones or following a pattern, while using the same password.

  • Failure Reasons: Look for failure reasons like "Unknown username or bad password." This indicates an incorrect password rather than issues like locked-out accounts.

Event ID 4648: A logon was attempted using explicit credentials. This event provides additional context about login attempts, including the type of logon (e.g., network, interactive) and the authentication package used. Combining this event with 4625 can help confirm that the failed logins are indeed part of a password spraying attack. Focus on network logons, as password spraying often occurs remotely.

Event ID 4776: The domain controller failed to validate the credentials for an account. This event is specific to domain controllers and records failed login attempts for domain accounts. It's particularly valuable for detecting password spraying targeted at Active Directory environments. Look for multiple failed logins from a single IP address across various domain user accounts.

NTDS

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights.

Event ID 4656 (A handle to an object was requested): This event indicates when a process requests access to an object, such as the NTDS.DIT file. It can signal the initial phase of an attack. Look for requests from unexpected processes or users, especially with excessive permissions (e.g., GENERIC_ALL) that aren't typically needed for legitimate operations.

Event ID 4663 (An attempt was made to access an object): This event logs both successful and failed attempts to access an object. It helps confirm if the access requested in Event ID 4656 was actually granted or denied. Look for patterns of repeated access attempts, especially from unfamiliar processes or users. Failed access attempts can also be suspicious, indicating that an unauthorized actor is trying to gain access.

Event ID 2886 (The Active Directory Domain Services database was shut down unexpectedly): The NTDS.DIT file is crucial for Active Directory operation. An unexpected shutdown could indicate an attacker is trying to manipulate or copy the file while it's offline. This event itself is suspicious, especially if there's no legitimate reason for the shutdown. Correlate it with other events (e.g., process creation or file access) to determine if it's part of an attack.

Event ID 2887 (The Active Directory Domain Services database could not be initialized): This event can signal a failed attempt to modify or corrupt the NTDS.DIT file, potentially during an attack. Similar to Event ID 2886, this event is inherently suspicious. Correlate it with other events to get a clearer picture.

Sysmon Event ID 10 (Process Access): This event provides detailed information about process interactions. It can reveal attempts to access the NTDS.DIT file directly or indirectly (e.g., by interacting with the LSASS process, which is responsible for Active Directory authentication).

  • SourceProcessGUID: The GUID of the process accessing the NTDS.DIT file. If it's a process you don't recognize or one not typically associated with AD administration, it warrants further investigation.

  • TargetFilename: Confirm that the target file is indeed the NTDS.DIT file or a related component.

  • GrantedAccess: Look for access rights that indicate an attempt to read, modify, or delete the file (e.g., GENERIC_READ, GENERIC_WRITE, DELETE).

Network Sniffing

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Event ID 5156 (Windows Filtering Platform): This event logs network traffic allowed or blocked by the Windows Firewall. While not a direct indicator of sniffing, it can reveal suspicious network activity patterns. Look for unusual traffic patterns that might indicate a system acting as a sniffing device or relaying captured data. This could include:

  • High volume of traffic: A sudden increase in outgoing traffic from a system not normally involved in heavy network communication.

  • Unexpected destinations: Traffic flowing to unknown or external IP addresses not associated with typical business operations.

  • Specific protocols: Increased use of protocols commonly targeted by sniffers (e.g., HTTP, FTP, Telnet).

Event ID 4688 (A new process has been created): This event records process creation events, including the command line used. Monitor for the execution of known network sniffing tools (e.g., Wireshark, tcpdump, Ettercap) or any suspicious processes with command lines that suggest network capture or packet analysis (e.g., "pcap," "-i eth0," "-w capture.pcap").

Sysmon Event ID 3 (Network connection): Provides more granular details about network connections than native Windows events. Look for network connections initiated by processes you've identified as potentially related to sniffing (via Event ID 4688). Monitor for connections using protocols and ports not typically used in your environment, especially if associated with known sniffing tools. If a system is exfiltrating large amounts of data, it could indicate the transfer of captured network traffic.

Sysmon Event ID 22 (DNS query): Can reveal DNS queries made by sniffing tools to resolve the domain names of their targets or command-and-control (C2) servers. Look for queries to domains associated with known malware or suspicious activities. Repeated failed DNS queries could indicate a sniffing tool trying to reach its C2 server.

Password Guessing

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. An adversary may guess login credentials by using a list of common passwords.

Event ID 4625: "An account failed to log on." This is the primary event for detecting failed login attempts, which are the hallmark of password guessing attacks. Look for:

  • Multiple failed logins for the same account: This indicates an attacker repeatedly trying different passwords for a single user.

  • Failed logins for multiple accounts from a single IP address: This suggests an attacker testing a few common passwords across various accounts.

  • Failure reasons: Focus on failures due to "Unknown username or bad password."

Event ID 4648: "A logon was attempted using explicit credentials." This event provides more context about the login attempt, including the logon type and authentication package. Look for Network logons (type 3), as password guessing often occurs remotely.

Event ID 4776: "The domain controller failed to validate the credentials for an account." This is the domain controller equivalent of Event ID 4625 and is crucial for detecting password guessing against Active Directory accounts.

Event ID 4771: "Kerberos pre-authentication failed." This can be triggered during password guessing attacks that use Kerberos authentication. Multiple failures for a single account might indicate an ongoing attack.

Steal Web Session Cookie

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

While Windows event logs don't directly track session cookie theft, you can leverage some events in combination with other tools and indicators to detect suspicious activity that might suggest this type of attack.

Event ID 4648 (A logon was attempted using explicit credentials): This event provides details about login attempts, including the logon type and authentication package used. If successful logins are happening without explicit credentials (e.g., using a cached session cookie), it could indicate an attacker is bypassing the normal authentication process.

Event ID 4688 (A new process has been created): Attackers might use tools or scripts to automate session cookie theft or usage. Monitor for the creation of suspicious processes associated with known web exploitation tools or with command lines that suggest interaction with browsers or web applications.

Other Logs and Tools:

  • Browser Logs: Examine the browser history or logs of the compromised system for any unusual activity, such as access to sites or services the user wouldn't normally visit.

  • Web Server Logs: Web server logs can reveal requests made using stolen cookies, including the source IP address and user agent information.

Private Keys

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.

Event ID 4656 (A handle to an object was requested): This event is triggered when a process attempts to open a handle to an object, which could include a private key file. Look for events where the Object Name indicates access to directories known to store certificates. Focus on accesses by processes not typically associated with certificate management.

Event ID 4663 (An attempt was made to access an object): This event logs both successful and failed access attempts to objects. Similar to 4656, look for accesses to certificate directories or files. Failed attempts can be just as important, as they may indicate an attacker probing for private keys without proper authorization.

Event ID 4688 (A new process has been created): This event logs the creation of new processes, including their command lines. Monitor for the execution of known tools associated with credential dumping (e.g., Mimikatz) or suspicious processes with command lines suggesting interaction with certificate stores or files (e.g., "certutil.exe -exportPFX").

Sysmon Event ID 10 (Process access): This event provides detailed information about process interactions. In this context, it can help detect when a process accesses another process that handles certificates (e.g., the Cryptographic Services process). Look for processes with suspicious origins or command lines accessing processes related to certificate management. Pay attention to access rights like PROCESS_VM_READ or PROCESS_QUERY_INFORMATION, which could suggest an attempt to read the memory space of a process where private keys might be stored.

Event ID 4657 (A registry value was modified): Windows stores various certificate-related settings and configurations in the registry. Attackers looking for private keys might attempt to modify these registry values to locate certificate stores: The registry contains information about the locations where certificates are stored. By modifying these values, an attacker could try to discover the paths to private key files. Pay attention to changes in values that control certificate storage locations, revocation checking, or other security settings.

Credential API Hooking

Credential API Hooking is a technique that allows attackers to intercept and capture credentials as they are entered or processed by legitimate applications and system processes. By inserting malicious code into these processes, attackers can gain direct access to sensitive information without the user's knowledge, bypassing security measures like encryption and password managers.

Event ID 4611 (A trusted logon process has been registered with the Local Security Authority): This event is logged when a new logon process registers with the Local Security Authority (LSA). Attackers can use DLL injection to hook into these logon processes and intercept credential information. Look for the registration of unusual or unknown logon processes that don't normally handle authentication. This could suggest that a malicious DLL has been injected into the process.

Event ID 4688 (A new process has been created): This event logs process creation events, including details like the process name and command line arguments. Monitor for the creation of processes known to be used for DLL injection (e.g., process hacker tools, suspicious scripts) or processes with unusual command lines that suggest interaction with credential APIs.

Event ID 4672 (Special privileges assigned to new logon): API hooking often requires elevated privileges. This event logs the assignment of special logon rights, such as "Debug programs" or "Act as part of the operating system. Be suspicious if unusual or non-administrative accounts are granted these privileges, especially if it's followed by the creation of suspicious processes or DLL loading.

Sysmon Event ID 7 (Image loaded): This event logs DLL loading activity, which is crucial for detecting DLL injection (a common method for API hooking). Look for unusual DLLs being loaded into processes involved in authentication (e.g., lsass.exe). Pay attention to DLLs loaded from unusual locations or those with suspicious hashes.

Sysmon Event ID 8 (CreateRemoteThread): Some DLL injection techniques use CreateRemoteThread to inject code into another process. Monitor for the creation of remote threads in authentication-related processes, especially by suspicious processes identified in Event ID 4688.

Windows Credential Manager

Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).

Event ID 4656 (A handle to an object was requested): This event logs when a process attempts to open a handle to an object, which can include the vault files where the Credential Manager stores credentials. Look for events where the Object Name points to the Credential Manager vault files, typically located in %AppData%\Microsoft\Credentials\. Be especially suspicious if the requesting process isn't a known legitimate credential management tool.

Event ID 4663 (An attempt was made to access an object): This event is similar to 4656 but logs both successful and failed access attempts. Focus on access attempts to Credential Manager vault files by unusual processes or with unusual access rights (e.g., READ_CONTROL or WRITE_DAC). Failed attempts could suggest an attacker trying to gain unauthorized access.

Event ID 4688 (A new process has been created): This event logs process creation details, including the command line. Monitor for the creation of known credential dumping tools (e.g., Mimikatz, LaZagne) or suspicious processes with command lines suggesting interaction with the Credential Manager.

Event ID 4672 (Special privileges assigned to new logon): Some tools used to extract credentials from the Credential Manager require elevated privileges. Look for this event when unusual or non-administrative accounts are granted "Debug programs" or other high-level privileges, especially if it's followed by suspicious process creation or access to Credential Manager files.

Sysmon Event ID 10 (Process Access): This event records when a process accesses another process. Attackers might use tools that interact with the lsass.exe process, which stores credentials in memory. Monitor for suspicious processes (identified through Event ID 4688 or other means) accessing lsass.exe with permissions that allow reading or writing memory.

Cached Domain Credentials

Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.

Event ID 4624 (An account was successfully logged on): This event is crucial because it logs all successful logins, including those using cached credentials when a domain controller is unavailable. Look specifically for logon type 11 (CachedInteractive). This indicates a successful login using cached domain credentials. Pay attention to repeated logins using cached credentials from the same user or device within a short timeframe. This could be a sign of an attacker attempting to exploit cached credentials.

Event ID 4648 (A logon was attempted using explicit credentials): This event logs logon attempts with explicit credentials (username and password). It is useful for comparison with successful logins using cached credentials (Event ID 4624). A successful login using cached credentials (Event ID 4624) without a corresponding Event ID 4648 for the same user could indicate an attacker is bypassing the normal authentication process and using stolen cached credentials.

Event ID 4672 (Special privileges assigned to new logon): Some tools designed to extract cached credentials require elevated privileges, such as "Debug programs" or "Act as part of the operating system." Monitor for this event, especially when it involves unusual accounts or non-administrative users gaining these privileges. If it's followed by suspicious activity related to cached credentials, it could signal an attack in progress.

Sysmon Event ID 10 (Process Access): Sysmon provides granular visibility into process interactions. It can detect when a process accesses another process involved in credential management. Look for suspicious processes accessing lsass.exe (Local Security Authority Subsystem Service) with the PROCESS_VM_READ right. This indicates a potential attempt to read memory where cached credentials might be stored. Monitor for processes accessing files associated with cached credentials (e.g., the registry hive where cached credentials are stored).

Credentials in Registry

Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.

Event ID 4656: A handle to an object was requested. This event logs whenever a process requests a handle to a registry key. This handle allows the process to interact with the key (e.g., read, write, or delete values). Look for accesses to known sensitive registry locations where credentials or configuration data might be insecurely stored, such as:

  • HKLM\SOFTWARE\*\CurrentVersion\Run: Attackers might attempt to add entries here for persistence.

  • Application-Specific Keys: Many applications store connection strings, API keys, or even passwords in their own registry keys.

  • Cryptographic Keys: The registry can also hold keys used for encryption or decryption, which an attacker might try to access.

Event ID 4657: A registry value was modified. This event records changes made to specific values within registry keys. Look for modifications to values that might contain sensitive information like usernames, passwords, or connection strings. Pay close attention to changes in the sensitive registry areas mentioned above.

Event ID 4663: An attempt was made to access an object. This event logs both successful and failed access attempts to registry keys. It can help confirm whether access requested in Event ID 4656 was granted or denied. Repeated failed attempts to access sensitive registry keys might indicate an attacker trying to brute-force or guess credentials.

Event ID 4688: A new process has been created. This event provides details about new processes being launched, including their command lines. Look for the creation of processes known to extract credentials or interact with the registry in a suspicious manner (e.g., reg.exe, PowerShell with registry-related commands).

PreviousProceduresNextDetection Indicators

Last updated