Detects adversary behavior accessing Windows cached domain credential files using tools like Mimikatz, reg.exe, or PowerShell, often combined with registry exports or LSASS memory scraping.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | WinEventLog:Security | EventCode=4663 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Field | Description |
|---|---|
| TargetFilename | Location of cached credential files may vary with OS version or custom registry hive exports. |
| CommandLine | Patterns for reg save, secretsdump, or PowerShell dumping tools may be tuned to org-specific tooling. |
| TimeWindow | Temporal correlation window between process execution and registry/file access. |
Detects access to SSSD or Quest VAS cached credential databases using tdbdump or other file access patterns, requiring sudo/root access.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | auditd:SYSCALL | file |
| Process Creation (DC0032) | auditd:EXECVE | EXECVE |
| Process Access (DC0035) | linux:osquery | process_events |
| Field | Description |
|---|---|
| filepath | SSSD and Quest cache paths differ by deployment and OS variant. |
| CommandLine | Tunable to capture specific tools (e.g., tdbdump, cat) or scripts accessing cache files. |
| TimeWindow | Time between elevation and file access can be adjusted to account for legitimate system behavior. |