LoFP LoFP / approved activity performed by an administrator.

Techniques

Sample rules

Windows LAPS Credential Dump From Entra ID

Description

Detects when an account dumps the LAPS password from Entra ID.

Detection logic

condition: selection
selection:
  activityType|contains: Recover device local administrator password
  additionalDetails.additionalInfo|contains: Successfully recovered local credential
    by device id
  category: Device