You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: Windows LAPS Credential Dump via Entra ID
description: |
This analytic detects when an account dumps the LAPS password via Entra ID.
author: andrewdanis
references:
- https://twitter.com/NathanMcNulty/status/1785051227568632263
logsource:
product: azure
service: activitylogs
detection:
condition: selection
selection:
Category: Device
ActivityType: Recover device local administrator password
AdditionalInfo: Successfully recovered local credential by device id
Service: Device Registration Service
status: test
date: 2024/04/30
falsepositives:
- Trusted activity performed by an Administrator.
level: high
tags:
- 'T1098.005: Account Manipulation: Device Registration'
The text was updated successfully, but these errors were encountered:
Description of the Idea of the Rule
Analytic that detects when an account dumps the LAPS password via Entra ID.
Public References / Example Event Log
[Additional references and logs if possible to ease the process of creating the rule]
https://twitter.com/NathanMcNulty/status/1785051227568632263
Detection Logic:
The text was updated successfully, but these errors were encountered: