Antivirus Password Dumper Detection
Detects a highly relevant Antivirus alert that reports a password dumper
Sigma rule (View on GitHub)
1title: Antivirus Password Dumper Detection
2id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
3status: stable
4description: Detects a highly relevant Antivirus alert that reports a password dumper
5references:
6 - https://www.nextron-systems.com/?s=antivirus
7 - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
8 - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
9author: Florian Roth (Nextron Systems)
10date: 2018/09/09
11modified: 2023/01/18
12tags:
13 - attack.credential_access
14 - attack.t1003
15 - attack.t1558
16 - attack.t1003.001
17 - attack.t1003.002
18logsource:
19 category: antivirus
20detection:
21 selection:
22 - Signature|startswith: 'PWS'
23 - Signature|contains:
24 - 'DumpCreds'
25 - 'Mimikatz'
26 - 'PWCrack'
27 - 'HTool/WCE'
28 - 'PSWTool'
29 - 'PWDump'
30 - 'SecurityTool'
31 - 'PShlSpy'
32 - 'Rubeus'
33 - 'Kekeo'
34 - 'LsassDump'
35 - 'Outflank'
36 - 'DumpLsass'
37 - 'SharpDump'
38 - 'PWSX'
39 - 'PWS.'
40 condition: selection
41falsepositives:
42 - Unlikely
43level: critical
References
Related rules
- Mimikatz Command Line With Ticket Export
- Cred Dump Tools Dropped Files
- HackTool - Mimikatz Execution
- Shadow Copies Creation Using Operating Systems Utilities
- Credential Dumping Tools Service Execution - System