Use of hash-cracking tools (e.g., John the Ripper, Hashcat) after credential dumping, combined with high CPU usage or GPU invocation via unsigned binaries accessing password hash files
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Access (DC0055) | WinEventLog:Security | EventCode=5145, 4663 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Field | Description |
|---|---|
| HashToolName | Match execution against known cracking toolnames like hashcat.exe, john.exe, etc. |
| FilePathIndicators | Watch for access to common hash dump locations (e.g., SAM, SYSTEM, NTDS.dit) |
| ExecutionContext | Run context: local interactive user vs. scheduled task or remote session |
Execution of hash cracking binaries or scripts (e.g., john, hashcat) following access to shadow file or dumped hashes
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| File Access (DC0055) | linux:syslog | auth.log or custom tool logs |
| Field | Description |
|---|---|
| ShadowAccessPattern | Access to /etc/shadow or known dumped hash files |
| CrackingBinaryPath | Tool path or name associated with hash cracking |
| CPUUsageThreshold | Sustained CPU load post-credential dump can be an indicator |
Unsigned or scripting-based processes invoking password cracking binaries or accessing hashed credential artifacts post-login
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process and file events via log stream |
| Field | Description |
|---|---|
| UnsignedBinaryPath | Path to untrusted binaries launched by user |
| UserPrivilegeLevel | Helps distinguish between system and user-launched activity |
Sudden valid logins from accounts that previously had credentials dumped but had not authenticated successfully in the past; correlated with timeline of suspected hash cracking
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | azure:signinlogs | Success logs from high-risk accounts |
| Field | Description |
|---|---|
| PostDumpTimeWindow | Detection window after credential dumping to watch for successful logins |
| LoginLocationRisk | Use IP/geolocation risk scoring to flag unusual access |
Offline cracking inferred by subsequent successful CLI or web-based authentications into routers or switches from previously dumped accounts
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | networkdevice:syslog | config access, authentication logs |
| Field | Description |
|---|---|
| LogonTimeCorrelation | Window to link credential theft and reuse |
| SourceDeviceTag | Filters based on where cracking may have occurred externally |