Tag

Credential_access

9 briefs RSS

Google Workspace Device Registration Burst for Single User

Detects bursts of Google Workspace device registration events for a single user exceeding three distinct device registrations within one minute, indicative of AiTM phishing or stolen OAuth token replay attacks.

Google Workspace google_workspace device_registration persistence initial_access credential_access

1r 3t 3w ago

high advisory

Entra ID Kali365 User-Agent Detected

2 rules 4 TTPs 4 IOCs

This brief detects the use of the Kali365 user agent, a phishing-as-a-service platform, within Entra ID or Microsoft 365 logs, indicating potential account compromise through stolen tokens.

Entra ID +1 cloud entra_id o365 initial_access credential_access

2r 4t 4i 3w ago

medium advisory

Tycoon2FA AiTM Phishing via Microsoft Entra ID Sign-Ins

2 rules 2 TTPs

Detects Microsoft Entra ID sign-ins consistent with Tycoon2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity targeting Microsoft 365 and Gmail, where the Microsoft Authentication Broker requests tokens for Microsoft Graph or Exchange Online, or the Office web client application authenticates to itself, combined with Node.js-style user agents (node, axios, undici).

Microsoft Entra ID +3 tycoon2fa aitm entra_id phishing credential_access

2r 2t May 18, 2026

high advisory

Entra ID Excessive Account Lockouts Detected

2 rules 3 TTPs

A high volume of failed Microsoft Entra ID sign-in attempts resulting in account lockouts indicates potential brute-force attacks, such as password spraying or credential stuffing, targeting user accounts.

Entra ID azure entra_id credential_access brute_force

2r 3t Apr 22, 2026

high advisory

PowerShell Kerberos Ticket Request via KerberosRequestorSecurityToken

2 rules 1 TTP

This rule detects PowerShell scripts that request Kerberos service tickets using KerberosRequestorSecurityToken, potentially indicating Kerberoasting attacks for offline password cracking of service accounts.

Elastic Security kerberoasting credential_access windows

2r 1t Jan 9, 2024

medium advisory

Suspicious AWS EC2 Key Pair Creation from Non-Cloud AS

2 rules 3 TTPs

An AWS EC2 CreateKeyPair event triggered by a new principal originating from a network autonomous system (AS) organization not associated with major cloud providers, indicating potential unauthorized access or persistence activity.

Amazon EC2 aws ec2 keypair persistence credential_access lateral_movement

2r 3t Jan 3, 2024

high advisory

Potential Kerberos Relay Attack via Coerced Authentication against a Computer Account

3 rules 1 TTP 1 CVE

Detects potential Kerberos relay attacks by identifying coercion attempts followed by authentication events using a target server's computer account, originating from a different host, indicating an attacker has captured and relayed Kerberos authentication material to execute code on behalf of the compromised system.

kerberos relay credential_access windows

3r 1t 1c Jan 3, 2024

high advisory

Kubernetes Pod Exec Cloud Instance Metadata Access

2 rules 2 TTPs

Detection of Kubernetes pod exec sessions accessing cloud instance metadata endpoints, indicating potential credential theft from AWS, GCP, or Azure.

AWS IMDS +2 kubernetes cloud credential_access execution

2r 2t Jan 3, 2024

medium advisory

LSASS Memory Dump Creation Detection

2 rules 1 TTP

This rule identifies the creation of LSASS memory dump files, often indicative of credential access attempts using tools like Task Manager, SQLDumper, Dumpert, or AndrewSpecial, by monitoring for specific filenames and excluding legitimate dump locations.

Elastic Defend +4 credential_access lsass memory_dump windows

2r 1t Jan 2, 2024