title: Credential Access via [TECHNIQUE]
id: GENERATE-NEW-UUID
status: experimental
description: Detects credential theft/dumping using [specific technique/tool]
references:
    - https://attack.mitre.org/tactics/TA0006/
author: Your Name
date: 2024/01/20
modified: 2024/01/20
tags:
    - attack.credential_access
    - attack.t1003  # Replace with specific technique
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Define your detection criteria
    condition: selection
falsepositives:
    - Legitimate password reset tools
    - Security assessment tools (authorized)
level: critical
fields:
    - User
    - CommandLine
    - TargetImage
    - GrantedAccess

# Common Credential Access Techniques:
#
# T1003.001 - LSASS Memory Dump
# logsource:
#     category: process_access
# detection:
#     selection:
#         TargetImage|endswith: '\lsass.exe'
#         GrantedAccess|contains:
#             - '0x1010'
#             - '0x1410'
#             - '0x147a'
#             - '0x143a'
#
# T1003.002 - Security Account Manager (SAM)
# detection:
#     selection:
#         Image|endswith: '\reg.exe'
#         CommandLine|contains|all:
#             - 'save'
#             - 'HKLM\SAM'
#
# T1558.003 - Kerberoasting
# logsource:
#     category: authentication
# detection:
#     selection:
#         EventID: 4769
#         ServiceName: '*$'
#         TicketEncryptionType: '0x17'
#
# T1110 - Brute Force
# detection:
#     selection:
#         EventID: 4625  # Failed logon
#     condition: selection | count(TargetUserName) by SourceIp > 10
#
# T1555 - Credentials from Password Stores
# detection:
#     selection:
#         Image|endswith:
#             - '\vaultcmd.exe'
#             - '\cmdkey.exe'
#         CommandLine|contains: '/list'