Credential-Access

Adversaries are modifying OAuth application redirect URIs (ReplyUrls) in Microsoft Entra ID to intercept OAuth authorization codes and steal tokens, granting unauthorized access without new application registration or user consent.

A critical vulnerability, CVE-2026-46376, exists in FreePBX due to the use of hard-coded credentials in the User Control Panel (UCP) generic template setup process, allowing an unauthenticated, remote attacker to gain unauthorized access to user accounts and manipulate user settings if default template credentials are not immediately changed by the administrator after enabling UCP.

This rule detects Linux process executions that access high-value Kubernetes service-account material, kubeconfig or node PKI paths, or common cloud files, potentially indicating credential theft within in-cluster and hybrid environments.

This rule detects segfault messages in kernel logs originating from sensitive processes on Linux systems, indicating potential exploitation attempts that could lead to arbitrary code execution or credential access.

The analytic identifies potential threats related to the theft or forgery of authentication certificates by detecting when five or more analytics from the Windows Certificate Services story trigger within a specified timeframe, indicating an ongoing attack aimed at compromising authentication mechanisms that could grant unauthorized access to sensitive systems and data.

This rule detects successful S3 GetObject calls targeting high-value credential and secret files commonly stored in S3 buckets, indicating potential credential access.

Automad versions 2.0.0-alpha.1 through 2.0.0-beta.27 are vulnerable to CVE-2026-45332, a Broken Access Control vulnerability that allows an unauthenticated attacker to retrieve bcrypt password hashes of administrator accounts using a single POST request to the `/_api/user-collection/create-first-user` endpoint, potentially leading to credential compromise and information disclosure.

IBM Controller versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2 are vulnerable to hard-coded credentials (CVE-2026-5065), potentially allowing unauthorized access and control of the application.

This rule detects suspicious network activity from tools or scripts attempting to access the cloud service provider's Instance Metadata Service (IMDS) API endpoint, potentially retrieving sensitive instance-specific information and credentials.

The rule identifies command-line executions that attempt to access cloud service provider's Instance Metadata Service (IMDS) API endpoints, potentially retrieving sensitive instance information and temporary security credentials, ultimately leading to credential access and privilege escalation within the cloud environment.

A vulnerability in XWiki Platform allows an attacker to reconstruct password hashes using 768 requests through the `LiveTableResults` macro, impacting versions prior to 18.0.0RC1, 17.10.13, 17.4.9, and 16.10.17.

code100x Mobile API contains an authentication bypass vulnerability (CVE-2026-8890) allowing unauthenticated attackers to impersonate arbitrary users by crafting a JSON payload in the 'g' HTTP header, skipping identity header validation and granting unauthorized access to course data.

This rule detects the execution of macOS built-in commands such as `defaults`, `mkpassdb`, and `dscl` used by adversaries to dump user account hashes for credential access and lateral movement.

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check (CVE-2026-6898), allowing authenticated attackers with subscriber-level access or higher to update the REST API Secret Key, create administrator accounts, and achieve complete site takeover.

CVE-2026-6897 is a critical vulnerability in the Wishlist Member plugin for WordPress, allowing authenticated attackers with subscriber-level access to modify plugin settings, including the REST API secret key, ultimately enabling them to create administrator accounts and take over the entire site.

This rule identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource, where attackers may inject WebDAV paths in files or features opened by a victim user to leak their NTLM credentials via forced authentication using rundll32.exe.

OpenMetadata version 1.12.1 is vulnerable to an information disclosure issue where a non-admin user can trigger a TEST_CONNECTION workflow for a Database Service and receive the cleartext database password and the ingestion bot JWT in the HTTP response, enabling privilege escalation.

Multiple vulnerabilities have been discovered in Apereo Java CAS client versions prior to 4.1.1, potentially leading to data confidentiality breaches as detailed in the casc-jwt-vuln security bulletin.

CVE-2026-7571 describes a vulnerability in Keycloak where a low-privilege user can bypass security controls intended to disable the implicit flow in OpenID Connect (OIDC) clients by manipulating client data during session restart, potentially exposing access tokens.

Storm-2949 compromised cloud identities through social engineering and abused the Self-Service Password Reset (SSPR) process to bypass MFA and gain persistent access, enabling lateral movement and data exfiltration from Microsoft 365 and Azure environments.

When ENABLE_MULTI_TENANT=true, n8n-mcp requests that omit x-n8n-url or x-n8n-key headers silently fall back to the process-level N8N_API_URL / N8N_API_KEY credentials configured for the operator's own n8n instance; an authenticated MCP tenant could cause n8n management calls to execute against the operator's instance instead of its own, leading to potential data access and code execution on the operator's n8n instance.

Arcane's REST API lacks proper admin authorization checks on Git repository management endpoints, allowing any authenticated user to exfiltrate stored Git credentials and tamper with GitOps configurations by redirecting credential requests to an attacker-controlled host.

Detects list operations on Kubernetes Secrets from a non-loopback client when the request URI targets cluster-wide secrets or list operations under kube-system or default namespaces, indicating potential credential access or discovery attempts.

This rule detects Kubernetes audit events where node or pod service accounts are accessing secrets via `get` or `list` operations, which may indicate credential access attempts by attackers sweeping Secret objects for sensitive information.

This rule detects an unusual volume of Kubernetes API get requests against multiple distinct Secret objects from the same client fingerprint, potentially indicating credential access or in-cluster reconnaissance.

The rule detects the use of the 'kubectl get secrets --all-namespaces' command, which enumerates secret resources across the entire Kubernetes cluster, potentially aiding credential discovery, privilege escalation, or lateral movement by attackers.

This rule identifies a high number of inbound SSH login attempts on a macOS host within a short time window by monitoring the `sshd-keygen-wrapper` process, indicating potential brute-force attacks against exposed SSH services.

iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability (CVE-2020-37228) that allows attackers to bypass authentication by requesting the autoLoginVerifyCode object and performing brute-force attacks against user accounts.

Detection of handle requests to the LSASS process with specific access masks commonly used by tools to dump memory, indicating potential credential access attempts.

phpMyFAQ before 4.1.2 is vulnerable to improper restriction of excessive authentication attempts in the /admin/check endpoint, allowing unauthenticated attackers to brute-force any user's six-digit TOTP code and bypass two-factor authentication, potentially gaining full administrative access (CVE-2026-45010).

A man-in-the-middle attacker within the TI network can exploit CVE-2026-45575 in com.oviva.telematik:epa4all-client versions prior to 1.2.2 to substitute a forged discovery document and capture signed authentication material.

The epa4all-client library before version 1.2.2 is vulnerable to a TLS certificate validation issue, allowing a man-in-the-middle attacker to intercept SOAP traffic and sensitive patient data by presenting a malicious TLS certificate.

A local exploit has been published for Windows Snipping Tool (CVE-2026-33829), enabling NTLMv2 Hash Hijacking by forcing authentication to a remote SMB server via a crafted ms-screensketch:edit URI, potentially leading to credential theft and lateral movement.

OpenAI was impacted by the TanStack supply chain attack, resulting in two employee devices being compromised and the exfiltration of credential material from internal source code repositories.

Multiple vulnerabilities in the Palo Alto Networks GlobalProtect App could allow an attacker to gain administrator privileges, execute arbitrary code with administrator privileges, disclose sensitive information, manipulate data, and cause a denial-of-service condition.

Multiple vulnerabilities in F5 BIG-IP products could allow an attacker to execute arbitrary code, gain elevated privileges, bypass security measures, manipulate or disclose data, or cause a denial-of-service condition.

Portainer's authentication middleware accepts JWT bearer tokens passed as the `?token=<JWT>` URL query parameter on any authenticated API endpoint, leading to JWT leakage to logs and referrers, where a leaked token grants the full privileges of the user it was issued to, until the token expires.

FlowiseAI versions 3.1.1 and earlier leak encrypted credential data when API requests include a `credentialName` filter, potentially leading to full credential theft if combined with access to the encryption key.

FlowiseAI exposes a basic authentication endpoint without rate limiting, allowing attackers to brute-force credentials and gain unauthorized access to the application.

CVE-2026-23998 describes a vulnerability in Fleet's Windows MDM management endpoint that allows requests to be processed without proper client certificate validation, potentially allowing an attacker to impersonate a device and retrieve sensitive configuration data.

Systempay 1.0 contains a weak cryptographic implementation vulnerability (CVE-2020-37168) allowing attackers to brute-force the production secret key, forge payment signatures, and manipulate transaction amounts.

SillyTavern versions 1.17.0 and earlier do not invalidate existing sessions after a password change, allowing attackers with stolen session cookies to retain access, even after the victim resets their password, and nullifies the password reset as a recovery measure against session theft.

This rule identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory by detecting specific API calls (OpenProcess, OpenThread, ReadProcessMemory) targeting the 'lsass.exe' process.

A threat actor compromised a third-party IT services provider and abused legitimate IT management tools like HPE Operations Agent to conduct a stealthy campaign focusing on long-term access, credential theft, and persistent footholds within a target environment.

sealed-env versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token, allowing an attacker with a leaked token and the master key to mint new unseal tokens indefinitely.

CVE-2025-40946 describes a vulnerability in KACO new energy blueplanet products where a weak CRC16-based algorithm for generating Technical Service credentials could allow an attacker to derive the credentials from the device's serial number and misuse them to gain unauthorized access.

The rule detects the creation of Kubernetes service account tokens through the TokenRequest API by non-system identities, which can be abused to escalate privileges, pivot to cloud resources, or generate persistent tokens, bypassing file system-based detection.

MantisBT is vulnerable to a missing authorization check in its file visibility function, allowing authenticated users with REPORTER or higher access to download attachments on private bugnotes they should not be able to access through the REST API and SOAP API, affecting versions 2.23.0 to 2.28.1.

GuardDog versions 1.0.0 through 2.9.0 are vulnerable to Server-Side Request Forgery (SSRF) and potential `GH_TOKEN` exfiltration due to a blind URL rewrite in remote project scanning; an attacker can influence the scanned repository URL to trigger SSRF and capture the `GH_TOKEN` used by GuardDog.

Ech0's access tokens with the 'never expire' option cannot be revoked through logout or deletion, leading to persistent access until the JWT secret is rotated instance-wide.

A remote authenticated attacker who shares a room with a victim can steal their Matrix access token by injecting a malicious emote pack, exploiting improper URL validation and service worker behavior in Cinny versions prior to 4.10.3.

Attackers can silently redirect Claude Code MCP traffic to intercept OAuth tokens, enabling persistent access to connected SaaS platforms by modifying the ~/.claude.json file in a man-in-the-middle attack.

Multiple vulnerabilities in VMware Tanzu Spring Cloud Config could allow an attacker to disclose sensitive information or manipulate data.

A missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism, affecting versions v3.2.0-v3.2.10 and v3.3.0-v3.3.8.

An insecure direct object reference in Cisco Slido's REST API could have allowed an authenticated remote attacker to access social profile data or affect quiz/poll results.

A sophisticated phishing campaign targeting US organizations uses a 'code of conduct review' theme to lure victims to a malicious website, employing adversary-in-the-middle (AitM) techniques to capture authentication tokens and gain account access.

The client_secret field in Prometheus' Azure AD remote write OAuth configuration was exposed in plaintext via the `/-/config` HTTP API endpoint, due to being incorrectly typed as a string, potentially allowing unauthorized access to sensitive credentials.

An authenticated local attacker can gather credential information from ABB B&R PVI client application logs when logging is enabled, addressed in version 6.5.0 (CVE-2026-0936).

This rule detects Kubernetes pod exec sessions where the decoded command line references sensitive files or paths such as mounted service account tokens, kubelet and control-plane configuration, host identity stores, private keys, and process environment dumps, aiming to identify potential lateral movement, privilege escalation, or credential theft.

Argo Workflows versions 4.0.0 to 4.0.4 log artifact repository credentials in plaintext, allowing users with read access to pod logs to extract sensitive information such as S3 access keys and GCS service account keys.

Detection of a Windows DNS record creation event (5137) with an ObjectDN attribute containing 'DC=wpad', which indicates a potential WPAD spoofing attack to enable privilege escalation and lateral movement.

Detection of potential NTLM relay attacks targeting computer accounts by identifying authentication events originating from hosts other than the account's owner, indicating possible credential theft and misuse.

Attackers can modify Active Directory object security descriptors to grant DCSync rights to unauthorized accounts, creating a backdoor to extract credential data.

The rule identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different source IP, potentially indicating account takeover or use of stolen credentials from a new location.

This threat brief details the detection of GenAI tools accessing sensitive files containing credentials, SSH keys, browser data, and shell configurations, indicating potential credential harvesting and persistence attempts by attackers leveraging GenAI agents.

Detects suspicious DNS queries containing a base64-encoded blob, indicating potential Kerberos coercion attacks and SPN spoofing via DNS to coerce authentication to attacker-controlled hosts, enabling Kerberos or NTLM relay attacks.

IBM Turbonomic prometurbo agent versions 8.16.0 through 8.17.6 grants excessive cluster-wide permissions, including unrestricted read access to all secrets, allowing a compromised operator or service account to exfiltrate credentials, escalate privileges, and achieve full cluster compromise.

The `cilium-bugtool` debugging tool in Cilium exposes WireGuard private keys, potentially allowing unauthorized access to encrypted node-to-node communication in affected versions.

D-Link DWM-222W USB Wi-Fi Adapter is vulnerable to brute-force attacks due to a protection bypass, allowing unauthenticated adjacent network attackers to gain control over the device by circumventing login attempt limits.

This brief outlines the threat of attackers leveraging GenAI tools to access sensitive files containing credentials, SSH keys, browser data, and shell configurations for credential access and persistence.

The Tekton Pipelines git resolver in API mode leaks the system-configured Git API token to a user-controlled `serverURL` when the user omits the `token` parameter, allowing an attacker with TaskRun or PipelineRun creation permissions to exfiltrate the shared API token.

Tekton Pipelines versions 1.0.0 to 1.10.0 are vulnerable to credential access, where the Git resolver in API mode transmits the system-configured Git API token to a user-controlled serverURL, enabling token exfiltration via a malicious server.

The goshs SimpleHTTPServer prior to version 2.0.0-beta.6 is vulnerable to ArtiPACKED, potentially leading to leakage of the GITHUB_TOKEN through workflow artifacts.

Cisco Catalyst SD-WAN Manager stores passwords in a recoverable format, allowing an authenticated local attacker to gain DCA user privileges by accessing a credential file.

Multiple vulnerabilities in Dell PowerProtect Data Domain OS allow an attacker to execute arbitrary code with root privileges, escalate privileges to administrator, bypass security measures, manipulate data, disclose sensitive information, or conduct unspecified attacks.

A local attacker can exploit multiple vulnerabilities in Intel Firmware to disclose confidential information or gain elevated privileges.

Anviz CrossChex Standard is vulnerable to unauthorized database access due to the manipulation of TDS7 PreLogin, which disables encryption, leading to plaintext transmission of database credentials.

Git for Windows versions prior to 2.53.0.windows.3 are vulnerable to NTLM hash theft by attackers who can trick users into cloning malicious repositories or checking out malicious branches, leading to potential credential compromise.

A user with access to the `_internal` index or the `mcp_tool_admin` capability in Splunk MCP Server app versions below 1.0.3 can view user session and authorization tokens in clear text, leading to potential credential compromise.

Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 are vulnerable to a weak password reset mechanism, allowing attackers to compute password reset tokens using only a user's email address due to the use of SHA1 hashing without randomization, expiration, or rate limiting, leading to unauthorized account takeover.

A single source IP accessing secret-management APIs across multiple cloud providers (AWS, GCP, Azure) and Kubernetes clusters within a short timeframe indicates potential credential theft, session hijacking, or token replay.

Detects a service principal authenticating to Azure AD followed by listing credentials for an Azure Arc-connected Kubernetes cluster, indicating potential adversary activity with stolen service principal secrets to establish a proxy tunnel into Kubernetes clusters.

Google's rollout of Device Bound Session Credentials (DBSC) in Chrome 146 for Windows, with a future release planned for macOS, cryptographically binds authentication sessions to the user's device, rendering stolen session cookies unusable and mitigating credential access.

LiteLLM versions before 1.83.0 stored user passwords as unsalted SHA-256 hashes and exposed these hashes through multiple API endpoints, enabling an authenticated user to retrieve another user's password hash and use it to log in as that user due to the /v2/login endpoint accepting the raw SHA-256 hash without re-hashing, leading to potential privilege escalation.

This rule correlates AWS Long-Term Access Key First Seen from Source IP alerts with other open alerts of medium or higher severity that share the same IAM access key ID to prioritize investigation of potentially compromised accounts, helping identify post-compromise activity.

Detects unusual access to Kubernetes secrets, potentially indicating an attacker attempting to steal sensitive information after gaining initial access to the cluster.

A vulnerability in Directus versions prior to 11.17.0 allows authenticated users to extract concealed field values, including static API tokens and two-factor authentication secrets from directus_users, via aggregate queries.

A machine learning job detected a spike in successful authentication events from a source IP address, which can indicate password spraying, user enumeration, or brute force activity, potentially leading to credential access.

An attacker exploits CVE-2026-20929 by manipulating DNS responses to redirect Kerberos authentication to attacker-controlled AD CS, enabling certificate enrollment for persistent access.

CVE-2026-5128 exposes sensitive Steam account data via the /users API endpoint and logs in ArthurFiorette steam-trader 2.1.1, allowing account takeover.

OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials in pairing setup codes, allowing attackers with access to leaked codes to reuse credentials and gain unauthorized access.

OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents and extract sensitive information.

Doveadm credentials are verified using direct comparison, making it susceptible to timing oracle attacks, allowing attackers to determine credentials and gain full access.

The cpp-httplib library prior to version 0.39.0 forwards stored authentication credentials to arbitrary hosts via HTTP redirects, potentially exposing sensitive information to malicious actors.

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 stores user credentials in plaintext, allowing local users to read sensitive information.

A phishing campaign abuses Microsoft's Device Code OAuth flow to gain access to cloud-based file storage and document workflow platforms, bypassing traditional credential harvesting.

OpenClaw before 2026.3.7 is vulnerable to improper header validation in fetchWithSsrFGuard, allowing attackers to intercept sensitive authorization headers via cross-origin redirects.

WWBN AVideo versions prior to 26.0 are vulnerable to a credential access vulnerability where passwords containing non-numeric characters are incorrectly processed, effectively setting the password to '0' and allowing trivial channel access bypass.

EquityPandit 1.0 contains an insecure logging vulnerability (CVE-2019-25605) that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge, specifically exposing plaintext passwords during the forgot password function.

A phishing technique, potentially still viable due to incomplete patching, allows attackers to obtain NetNTLM hashes from archive extraction on Windows systems (CVE-2025-59284).

Detects a service principal authenticating to Microsoft Entra ID and then listing credentials for an Azure Arc-connected Kubernetes cluster within a short time window, indicating potential unauthorized access to Kubernetes clusters via stolen service principal secrets.

The loading of an untrusted DLL by the Azure AD Connect Authentication Agent, potentially indicating credential access attempts via the Pass-through Authentication service, is detected by this rule.

Adversaries use MemProcFS, a memory forensics tool, to mount memory dumps as virtual file systems and extract sensitive information like credentials from LSASS or registry hives.

An adversary modifies Kubernetes admission controller configurations to achieve persistence, escalate privileges, or gain unauthorized access to credentials within the cluster.

This detection identifies processes accessing the Windows Recall directory, a feature that takes screenshots every few seconds, and due to initial security shortcomings, could be exploited by malware to steal sensitive data.

Attackers can leverage sqlcmd.exe or PowerShell commands like Invoke-Sqlcmd to access Veeam credentials stored in MSSQL databases, potentially targeting backups for destructive operations such as ransomware attacks.

This rule detects PowerShell scripts associated with NTLM relay or pass-the-hash tooling and SMB/NTLM negotiation artifacts, indicating potential credential access and lateral movement attempts by attackers.

Attackers with Backup Operator privileges may abuse wbadmin.exe to access the NTDS.dit file, enabling credential dumping and domain compromise.

This rule detects attempts to access registry backup hives (SAM, SECURITY, SYSTEM) via RegBack on Windows systems, which can contain or enable access to credential material.

Detection of DNS record creation by non-system accounts within Active Directory Integrated DNS (ADIDNS), which attackers can abuse to perform Dynamic Spoofing attacks, potentially targeting services like WPAD for credential access.

Attackers can create wildcard records in Active Directory Integrated DNS (ADIDNS) to redirect traffic, enabling adversary-in-the-middle attacks for credential interception or relay.

Detects potential credential decryption operations by PowerShell or unsigned processes using the Veeam.Backup.Common.dll library, indicating potential credential access attempts to target backups as part of destructive operations.

Adversaries may abuse the AWS GetSigninToken API to create temporary federated credentials for obfuscating compromised AWS access keys and pivoting to console sessions without MFA, potentially leading to lateral movement within the AWS environment.

Detection of Bitbucket user login failures, potentially indicating credential access attempts, initial access attempts, or other malicious activity.

Adversaries use the Windows built-in utility Netsh to dump Wireless saved access keys in clear text, potentially leading to credential compromise.

TYPO3 CMS version 14.2.0 stores passwords in cleartext in the `uc` and `user_settings` fields of the `be_users` database table when users change their credentials in the backend user settings module.

Adversaries may use vaultcmd.exe to list credentials stored in the Windows Credential Manager to gain unauthorized access to saved usernames and passwords, potentially in preparation for lateral movement.

Detection of multiple consecutive logon failures from the same source address within a short time interval on Windows systems, indicating potential brute force or password spraying attacks targeting multiple user accounts.

This rule detects AWS identities with API traffic dominated by cloud-provider source AS organization labels, but also exhibit traffic from other AS organizations, potentially indicating credential reuse or pivoting.

Detection of Kerberos pre-authentication being disabled for a user account, potentially leading to AS-REP roasting and offline password cracking by attackers with GenericWrite or GenericAll rights over the account.

Detection of PowerShell scripts attempting to dump Kerberos tickets from memory by accessing LSA authentication packages, potentially leading to credential access and lateral movement.

Adversaries may abuse MicrosoftDNS records containing a base64-encoded blob to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services, detected via directory-service access events.

Attackers can enable full user-mode dumps system-wide via registry modification to facilitate LSASS credential dumping, allowing extraction of credentials from process memory without deploying malware.

Open WebUI is vulnerable to privilege escalation; when a user connects via Socket.IO, their role is stored in an in-memory session pool, and administrative changes do not invalidate this session, allowing unauthorized access and modification of other users' notes after role revocation.

Detection of a user account initiating the Active Directory replication process for the first time, potentially indicating a DCSync attack for credential theft and domain compromise.

This brief details a detection strategy for rare SMB connections originating from internal networks to the internet, potentially indicating NTLM credential theft via rogue UNC path injection.

Detects attempts to export sensitive Windows registry hives (SAM/SECURITY) using reg.exe, potentially leading to credential compromise.

Detection of new user account creation in Okta, which could indicate malicious activity related to credential access.

This rule detects unauthorized access to sensitive Active Directory object attributes such as unixUserPassword, ms-PKI-AccountCredentials, and msPKI-CredentialRoamingTokens, potentially leading to credential theft and privilege escalation.

An unauthorized actor removes a Conditional Access policy in Azure, potentially weakening the organization's security posture and enabling privilege escalation or credential access.

The Invoke-NinjaCopy PowerShell script is used by attackers to directly access volume files, such as NTDS.dit or registry hives, for credential dumping.

Adversaries may coerce local NTLM authentication over HTTP via WebDAV named-pipe paths (Print Spooler, SRVSVC), then relay credentials to elevate privileges.

This rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker may have compromised an account by brute-forcing login attempts across multiple users.

An attacker abuses the Secondary Logon service (seclogon.dll) to gain unauthorized access to the LSASS process, potentially leaking credentials.

Detection of access attempts to the LSASS handle, indicating potential credential dumping by monitoring API calls (OpenProcess, OpenThread, ReadProcessMemory) targeting lsass.exe.

Aegra versions 0.9.0 through 0.9.6 are vulnerable to a cross-tenant IDOR, enabling authenticated users to execute graph runs against other users' threads, read checkpoint states, inject messages, and conceal their actions due to missing user ID validation on run creation endpoints; patched in version 0.9.7.

Detection of LSASS process cloning using PssCaptureSnapShot, where the parent process is also LSASS, indicating a potential attempt to dump LSASS memory for credential access.

The RedirectHandler middleware in multiple Kiota libraries fails to strip sensitive HTTP headers (Cookie, Proxy-Authorization, and custom headers) when following 3xx redirects to a different host or scheme, potentially leading to session hijacking, corporate proxy credential theft, and API key theft.

Attackers with access to IIS web servers may use the AppCmd command-line tool to dump sensitive configuration data, including application pool credentials, potentially leading to lateral movement and privilege escalation.

Detection of multiple device token hashes and source IPs for a single Okta session, indicating potential session hijacking and unauthorized access to Okta resources.

This rule detects Kubernetes audit events where a node or pod service account attempts to read secrets directly, which is often a sign of credential access.

Adversaries may create symbolic links to shadow copies to access sensitive files such as ntds.dit and browser credentials, enabling credential dumping using cmd.exe or powershell.exe.

Attackers may attempt credential theft by launching browsers (Chrome, Edge) with remote debugging, headless automation, or minimal arguments from an unusual parent process on Windows systems.

Detection of suspicious LSASS handle access via DuplicateHandle from an unknown call trace module, indicating a potential attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.

Detection of configuration changes to an application's AppID URI in Azure, potentially indicating malicious activity related to initial access, persistence, credential access, privilege escalation, or stealth.

Detection of the assignment of the SeEnableDelegationPrivilege user right to a principal can indicate potential Active Directory compromise and privilege elevation by attackers.

This rule detects the creation of the default Mimikatz MemSSP credential log file, mimilsa.log, which is created after the misc::memssp module injects a malicious Security Support Provider into LSASS, potentially capturing credentials from subsequent logons.

An adversary can exploit Kubernetes Admission Controllers in Azure to achieve persistence, privilege escalation, or credential access by manipulating webhook configurations.

This analytic detects non-Firefox processes accessing the Firefox profile directory, potentially indicating malware attempting to harvest sensitive user data like login credentials, browsing history, and cookies.

Detects remote access to the registry, potentially dumping credential data from the Security Account Manager (SAM) registry hive, indicating preparation for credential access and privilege elevation.

This rule detects potential NTLM relay attacks against computer accounts by identifying coercion attempts followed by authentication events originating from a different host, indicating that an attacker has captured and relayed the server's computer account hash to execute code on behalf of the compromised system.

Detects when a user successfully resets their own password in Azure Active Directory, which may indicate malicious activity or account compromise.

This rule detects lateral movement in AWS environments originating from Kubernetes service accounts by identifying instances where credentials obtained for a service account are used for multiple distinct AWS control-plane actions, potentially indicating unauthorized access.

This rule detects the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object, which could indicate an attacker is creating shadow credentials to gain persistent and stealthy access.

Detection of unsigned or untrusted DLLs being loaded into the LSASS process, which is indicative of credential access attempts by adversaries aiming to steal sensitive information such as user passwords.

This rule detects command-line activity indicative of credential access across multiple cloud platforms (GCP, Azure, AWS, GitHub, DigitalOcean, Oracle, Kubernetes), looking for specific commands used to print or access tokens and credentials, flagging hosts where multiple cloud targets are accessed within a five-minute window, suggesting potential credential harvesting activity.

An adversary modifies the AWS Identity Center identity provider configuration, potentially leading to persistent access and privilege escalation through user impersonation.

Detection of non-browser processes accessing browser user data folders, a tactic used by malware such as Snake Keylogger to steal credentials and sensitive information.

Detection of Azure application URI modifications that can be indicative of malicious activity, such as using dangling URIs, non-HTTPS URIs, wildcard domains, or URIs pointing to uncontrolled domains, potentially leading to initial access, stealth, persistence, credential access, and privilege escalation.

Attackers abuse certutil.exe, a native Windows utility, to download/deobfuscate malware for command and control or data exfiltration, evading defenses.

Detects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.

This detection identifies potential RDP brute force attacks by monitoring network traffic for RDP application activity by detecting source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window.

An attacker attempts to access unsecured Outlook credentials stored in the Windows registry, potentially leading to unauthorized access to email accounts and sensitive information.

Detection of non-Chrome processes accessing the Chrome 'Local State' file, potentially leading to extraction of the master key used for decrypting saved passwords.

This rule detects suspicious processes, such as copy utilities or scripting tools, accessing sensitive identity files on Linux systems, including Kubernetes tokens, cloud CLI configurations, and root SSH keys, indicating potential credential theft.

This rule identifies suspicious access attempts to the LSASS process, potentially indicating credential dumping attempts by filtering out legitimate processes and access patterns to focus on anomalies.

Adversaries may leverage the Windows Subsystem for Linux (WSL) to execute malicious Linux commands, bypassing traditional Windows security measures, detected by monitoring process execution and command-line arguments.

The Signal K server's WebSocket login endpoint lacks rate limiting, allowing attackers to bypass HTTP rate limiting by opening a WebSocket connection and attempting unlimited password guesses.

This rule identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource, where attackers may inject WebDAV paths in files opened by a victim to leak NTLM credentials via forced authentication using rundll32.exe.

Attackers are abusing the legitimate Windows Print.exe utility to copy sensitive files like NTDS.DIT and SAM in order to extract credentials, enabling local or remote credential access.

This brief detects PowerShell scripts that reference MiniDumpWriteDump or full-memory minidump types, potentially used to capture process memory from credential-bearing processes like LSASS.

The rule identifies potential relay attacks against a machine account by detecting network share access events originating from a remote source IP but utilizing the target server's computer account, which may indicate an SMB relay attack.

This rule detects the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access by identifying specific command-line arguments and process names associated with credential dumping activities.

An attacker attempts to disable or reset multi-factor authentication (MFA) for a user account in Okta, potentially leading to unauthorized access and account compromise.

A critical authentication bypass vulnerability in note-mark allows attackers to authenticate as any OIDC-registered user by submitting the password 'null' to the internal login endpoint due to a hardcoded bcrypt hash fallback, potentially leading to account takeover and persistent access.

This analytic identifies non-Chrome processes accessing the Chrome user data file 'login data', which is an SQLite database containing sensitive information like saved passwords, potentially leading to credential theft.

Adversaries may modify the network logon provider registry to register a rogue network logon provider module for persistence and credential access by intercepting authentication credentials in clear text during user logon.

A credential authorization bypass vulnerability in n8n versions before 2.18.0 allows an authenticated user with access to a shared workflow to supply a foreign credential ID, causing the backend to decrypt and use that credential against attacker-controlled infrastructure, leading to API key exfiltration.

Detects the creation of 'mimilsa.log', the default log file created by the Mimikatz MemSSP module after injecting a malicious Security Support Provider into LSASS, potentially exposing credentials from subsequent logons on the host.

An attacker with Microsoft IIS web server access can decrypt and dump hardcoded connection strings, such as MSSQL service account passwords, using the aspnet_regiis utility, potentially leading to credential compromise.

Attackers modify LSA PPL protection settings via command-line tools like reg.exe and PowerShell to weaken system security and enable credential dumping.

Detects read access to Kubernetes Secrets (`get`/`list`) with a user agent matching a curated set of non-standard or attacker-leaning clients, indicating potential credential access.

Detects an unusual volume of Kubernetes API get requests against multiple distinct Secret objects from the same client fingerprint, potentially indicating credential access or in-cluster reconnaissance.

This rule detects Linux process executions that access sensitive Kubernetes, cloud, and SSH credential files via common utilities, potentially indicating credential theft.

This brief outlines detection strategies for adversaries attempting to retrieve LAPS passwords using PowerShell and the 'ms-Mcs-AdmPwd' property, potentially leading to lateral movement and privilege escalation within a Windows domain.

An adversary may disable multi-factor authentication (MFA) in Azure Active Directory to weaken an organization's security posture and bypass authentication mechanisms, potentially gaining unauthorized access to sensitive resources and maintaining persistence.

Detection of non-Chrome processes accessing the Chrome user data directory, potentially indicating credential theft or data exfiltration attempts by malware such as RATs or APT groups.

Detection of LSASS loading an unsigned or untrusted DLL, which can indicate credential access attempts by malicious actors targeting sensitive information stored in the LSASS process.

Detects the creation of .kirbi files, a suspicious Kerberos ticket artifact often produced by ticket export or dumping tools such as Rubeus or Mimikatz, indicating preparation for Kerberos ticket theft or Pass-The-Ticket (PTT) attacks.

Attackers may use compression utilities like zip, tar, and gzip on Linux systems to collect and archive sensitive files containing credentials and system configurations for credential access and data exfiltration.

This rule identifies potential password guessing/brute force activity from a single source IP targeting multiple Windows accounts with 'admin' in the username, indicating an attempt to compromise privileged accounts.

Detection of modifications to the servicePrincipalName attribute on user accounts, potentially exposing them to Kerberoasting attacks by allowing attackers to request Kerberos tickets for the account.

Detection of remote registry access by an account with SeBackupPrivilege, potentially indicating credential exfiltration attempts via SAM registry hive dumping.

Detection of medium-sized registry hive files being created or modified on Server Message Block (SMB) shares, potentially indicating exfiltration of Security Account Manager (SAM) data for credential extraction.

SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint (CVE-2026-7807) that allows authenticated users to read arbitrary .json files, potentially leading to credential compromise.

macOS stores Signal message notifications in an unencrypted SQLite database, potentially exposing 'disappearing' messages even after they are deleted from the Signal application.

This rule detects the use of Invoke-Mimikatz or Mimikatz commands within PowerShell scripts to dump credentials, extract password stores, export certificates, or use alternate authentication material, indicating potential in-memory credential access.

Detection of renamed COMSVCS.DLL being loaded by rundll32.exe, potentially used to dump LSASS memory for credential access while evading command-line detection.

The detection rule identifies a potential credential access attempt via the trusted developer utility MSBuild by detecting instances where it loads DLLs associated with Windows credential management, specifically vaultcli.dll or SAMLib.DLL, which is often used for credential dumping.

This rule identifies when a User Account starts the Active Directory Replication Process, potentially indicating a DCSync attack, which allows attackers to steal credential information compromising the entire domain.

The rule detects attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory, which could lead to credential dumping.

An attacker with IIS web server access via a web shell can extract service account passwords by requesting full configuration output or targeting credential-related fields using the AppCmd tool.

This rule detects handle requests for LSASS object access with specific access masks (0x1fffff, 0x1010, 0x120089, 0x1F3FFF) indicative of memory dumping, commonly employed by tools like SharpDump, Procdump, Mimikatz, and Comsvcs to extract credentials from the LSASS process on Windows systems.

Detection of Kubernetes Secrets listing from non-loopback clients targeting cluster-wide secrets or sensitive namespaces, potentially indicating unauthorized credential access or discovery.

ELBA5 version 5.8.0 contains a remote code execution vulnerability (CVE-2018-25272) that allows attackers to obtain database credentials and execute arbitrary commands with SYSTEM level permissions, potentially leading to complete system compromise.

Detection of creation or modification of Domain Backup private keys, which adversaries may extract from a Domain Controller (DC) to decrypt domain user master key files.

Detects copy operations of Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files, potentially exposing sensitive hashed credentials on Windows systems.