Skip to content

DET0174 Detection Strategy for Exploitation for Credential Access

Item Value
ID DET0174
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1212 (Exploitation for Credential Access)

Analytics

Windows

AN0493

Detects adversary exploitation of authentication mechanisms or credential validation processes. Defender perspective includes forged Kerberos tickets (e.g., MS14-068), abnormal LSASS memory access, replayed authentication attempts, and unexpected crashes of authentication services. Multi-event correlation ties exploitation attempts to abnormal process creation, service instability, and suspicious authentication events.

Log Sources
Data Component Name Channel
User Account Authentication (DC0002) WinEventLog:Security EventCode=4768, 4769, 4770
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Mutable Elements
Field Description
MonitoredAccounts High-value accounts (e.g., Domain Admins) for anomalous ticket issuance or replay activity.
ReplayDetectionWindow Time window for correlating duplicate or replayed Kerberos authentications.

Linux

AN0494

Detects exploitation of authentication daemons or PAM modules. Defender perspective includes failed or anomalous PAM authentications, abnormal segfaults in authentication services, and exploitation attempts followed by successful unauthorized logins. Correlation identifies memory corruption, replay attempts, and privilege escalation tied to credential services.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve: Suspicious binaries or scripts interacting with authentication binaries (sshd, gdm, login)
User Account Authentication (DC0002) NSM:Connections Repeated failed authentication attempts or replay patterns
Mutable Elements
Field Description
AuthServiceList List of monitored authentication services (e.g., sshd, gdm, PAM modules).
FailureThreshold Number of failed authentications within a window before escalating to replay suspicion.

macOS

AN0495

Detects exploitation attempts against macOS authentication frameworks such as OpenDirectory or Keychain. Defender perspective includes abnormal crashes in opendirectoryd, unauthorized Keychain API usage, and unusual sudo or login events. Correlation links unexpected process behavior with credential access anomalies.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) macos:unifiedlog opendirectoryd crashes or abnormal authentication errors
Process Creation (DC0032) macos:osquery execve: Processes unexpectedly invoking Keychain or authentication APIs
Mutable Elements
Field Description
WatchedAPIs List of authentication and Keychain-related APIs to monitor for unauthorized access.
CrashCorrelationWindow Time window for correlating authentication service crashes with subsequent suspicious access.

Identity Provider

AN0496

Detects exploitation of vulnerabilities in cloud identity providers (IdPs) such as Azure AD or Okta for credential access. Defender perspective includes anomalous token creation or renewal, authentication bypass events, and API abuse to mint unauthorized tokens. Correlation highlights exploitation attempts tied to absent or inconsistent audit logs.

Log Sources
Data Component Name Channel
User Account Authentication (DC0002) azure:signinlogs TokenIssued, TokenRenewed: Unexpected or anomalous token issuance events
Application Log Content (DC0038) m365:unified ConsentGranted: Abuse of application integrations to mint tokens bypassing MFA
Mutable Elements
Field Description
TokenAnomalyThreshold Threshold for anomalous token creation or renewal before alerting.
MonitoredAppIntegrations Applications with privileged access that should be tightly monitored for misuse.