Antivirus Password Dumper Detection

calendar Nov 4, 2024 · attack.credential-access attack.t1003 attack.t1558 attack.t1003.001 attack.t1003.002  ·
Share on: linkedin copy

Detects a highly relevant Antivirus alert that reports a password dumper. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Sigma rule (View on GitHub)

 1title: Antivirus Password Dumper Detection
 2id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
 3status: stable
 4description: |
 5    Detects a highly relevant Antivirus alert that reports a password dumper.
 6    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.    
 7references:
 8    - https://www.nextron-systems.com/?s=antivirus
 9    - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
10    - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
11author: Florian Roth (Nextron Systems), Arnim Rupp
12date: 2018-09-09
13modified: 2024-11-02
14tags:
15    - attack.credential-access
16    - attack.t1003
17    - attack.t1558
18    - attack.t1003.001
19    - attack.t1003.002
20logsource:
21    category: antivirus
22detection:
23    selection:
24        - Signature|startswith: 'PWS'
25        - Signature|contains:
26              - 'Certify'
27              - 'DCSync'
28              - 'DumpCreds'
29              - 'DumpLsass'
30              - 'DumpPert'
31              - 'HTool/WCE'
32              - 'Kekeo'
33              - 'Lazagne'
34              - 'LsassDump'
35              - 'Mimikatz'
36              - 'MultiDump'
37              - 'Nanodump'
38              - 'NativeDump'
39              - 'Outflank'
40              - 'PShlSpy'
41              - 'PSWTool'
42              - 'PWCrack'
43              - 'PWDump'
44              - 'PWS.'
45              - 'PWSX'
46              - 'pypykatz'
47              - 'Rubeus'
48              - 'SafetyKatz'
49              - 'SecurityTool'
50              - 'SharpChrome'
51              - 'SharpDPAPI'
52              - 'SharpDump'
53              - 'SharpKatz'
54              - 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d
55              - 'ShpKatz'
56              - 'TrickDump'
57    condition: selection
58falsepositives:
59    - Unlikely
60level: critical

References

Related rules

to-top