Winlogbeat-*

Detects the creation of a delegated Managed Service Account (dMSA) by an unusual subject account, potentially indicating an attempt to abuse weak permissions for privilege escalation in Active Directory.

This rule detects the use of Invoke-Mimikatz or Mimikatz commands within PowerShell scripts to dump credentials, extract password stores, export certificates, or use alternate authentication material, indicating potential in-memory credential access.