logo
Defence blues
Credential theft hunting
  • Red tradecraft
  • Privacy greenhouse
  • Purple crossroads
  • Indigo observatory
  • Contact
Initializing search
    • Blue team @Home
    • Servers without a security team
    • Honeytech for humans
    • Blue team for dev
    • OT and ICS security
    • Counter moves
      • Closing the doors just walked through
      • The machine at the point of impact
      • Traffic patterns as evidence
      • Inter-domain routing as a target
      • The surface designed to be accessible
      • The application layer as a target
      • Infrastructure you defend but do not own
      • Where the container meets the host
      • Systems that were never meant to be networked
      • The domain as an attack graph
      • The gap between access and authority
      • Harvesting stored secrets
        • OS credential stores and memory extraction
        • Password spraying, stuffing, and brute force
        • Credential theft hunting
          • LSASS and OS credential store hunting
          • Password spray and authentication abuse hunting
        • Credential theft hunting
          • LSASS and OS credential store hunting
          • Password spray and authentication abuse hunting
      • Surviving the reboot
      • From target to target
      • Plausibility as cover
      • Memory corruption and its limits
      • Watching data being gathered
      • Watching the exits
      • Limiting the blast radius
      • Operational cost of security controls
    • Golem Trust Computing Ltd.
    • Civic Defence Establishment
    • The Circle Sea Arrangement
    • Office of Civil Surveys
    • Civil Observers’ Society
    • The Home for Bewildered Beasts of Legend
    • Campaigns, manoeuvres and scenarios

    Credential theft hunting¶

    Runbooks for hunting credential dumping activity and authentication abuse patterns in Windows Security event logs. The LSASS hunt covers process memory access and offline extraction techniques; the spray hunt covers source-based failure clustering, lockout bursts, and failure-to-success sequences.

    • LSASS and OS credential store hunting
    • Password spray and authentication abuse hunting
    2026-07-09 22:41
    © Copyright 2026, TyMyrddin.
    Created using Sphinx 7.2.6. and Sphinx-Immaterial

    Made with love by Ty Myrddin, 2026, with a forest garden fostered by /ut7