Antivirus Password Dumper Detection

 1title: Antivirus Password Dumper Detection
 2id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
 3status: stable
 4description: Detects a highly relevant Antivirus alert that reports a password dumper
 5references:
 6    - https://www.nextron-systems.com/?s=antivirus
 7    - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
 8    - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
 9author: Florian Roth (Nextron Systems)
10date: 2018/09/09
11modified: 2023/01/18
12tags:
13    - attack.credential_access
14    - attack.t1003
15    - attack.t1558
16    - attack.t1003.001
17    - attack.t1003.002
18logsource:
19    category: antivirus
20detection:
21    selection:
22        - Signature|startswith: 'PWS'
23        - Signature|contains:
24              - 'DumpCreds'
25              - 'Mimikatz'
26              - 'PWCrack'
27              - 'HTool/WCE'
28              - 'PSWTool'
29              - 'PWDump'
30              - 'SecurityTool'
31              - 'PShlSpy'
32              - 'Rubeus'
33              - 'Kekeo'
34              - 'LsassDump'
35              - 'Outflank'
36              - 'DumpLsass'
37              - 'SharpDump'
38              - 'PWSX'
39              - 'PWS.'
40    condition: selection
41falsepositives:
42    - Unlikely
43level: critical

References

• You searched for antivirus - Nextron Systems

  

  by Florian Roth | Jan 20, 2023 We've updated our Antivirus Event Analysis Cheat Sheet to version 1.12.0. It includes updates in several sections New signatures for PUA like FRP and Adfind Signature...

  
  Read More

• VirusTotal

  VirusTotal

  
  Read More

• VirusTotal

  VirusTotal

  
  Read More

Related rules

• Mimikatz Command Line With Ticket Export
• Cred Dump Tools Dropped Files
• HackTool - Mimikatz Execution
• Shadow Copies Creation Using Operating Systems Utilities
• Credential Dumping Tools Service Execution - System