Detects adversary exploitation of authentication mechanisms or credential validation processes. Defender perspective includes forged Kerberos tickets (e.g., MS14-068), abnormal LSASS memory access, replayed authentication attempts, and unexpected crashes of authentication services. Multi-event correlation ties exploitation attempts to abnormal process creation, service instability, and suspicious authentication events.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | WinEventLog:Security | EventCode=4768, 4769, 4770 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Field | Description |
|---|---|
| MonitoredAccounts | High-value accounts (e.g., Domain Admins) for anomalous ticket issuance or replay activity. |
| ReplayDetectionWindow | Time window for correlating duplicate or replayed Kerberos authentications. |
Detects exploitation of authentication daemons or PAM modules. Defender perspective includes failed or anomalous PAM authentications, abnormal segfaults in authentication services, and exploitation attempts followed by successful unauthorized logins. Correlation identifies memory corruption, replay attempts, and privilege escalation tied to credential services.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve: Suspicious binaries or scripts interacting with authentication binaries (sshd, gdm, login) |
| User Account Authentication (DC0002) | NSM:Connections | Repeated failed authentication attempts or replay patterns |
| Field | Description |
|---|---|
| AuthServiceList | List of monitored authentication services (e.g., sshd, gdm, PAM modules). |
| FailureThreshold | Number of failed authentications within a window before escalating to replay suspicion. |
Detects exploitation attempts against macOS authentication frameworks such as OpenDirectory or Keychain. Defender perspective includes abnormal crashes in opendirectoryd, unauthorized Keychain API usage, and unusual sudo or login events. Correlation links unexpected process behavior with credential access anomalies.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | macos:unifiedlog | opendirectoryd crashes or abnormal authentication errors |
| Process Creation (DC0032) | macos:osquery | execve: Processes unexpectedly invoking Keychain or authentication APIs |
| Field | Description |
|---|---|
| WatchedAPIs | List of authentication and Keychain-related APIs to monitor for unauthorized access. |
| CrashCorrelationWindow | Time window for correlating authentication service crashes with subsequent suspicious access. |
Detects exploitation of vulnerabilities in cloud identity providers (IdPs) such as Azure AD or Okta for credential access. Defender perspective includes anomalous token creation or renewal, authentication bypass events, and API abuse to mint unauthorized tokens. Correlation highlights exploitation attempts tied to absent or inconsistent audit logs.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | azure:signinlogs | TokenIssued, TokenRenewed: Unexpected or anomalous token issuance events |
| Application Log Content (DC0038) | m365:unified | ConsentGranted: Abuse of application integrations to mint tokens bypassing MFA |
| Field | Description |
|---|---|
| TokenAnomalyThreshold | Threshold for anomalous token creation or renewal before alerting. |
| MonitoredAppIntegrations | Applications with privileged access that should be tightly monitored for misuse. |