Antivirus Password Dumper Detection

Detects a highly relevant Antivirus alert that reports a password dumper.

Sigma rule (View on GitHub)

 1title: Antivirus Password Dumper Detection
 2id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
 3status: stable
 4description: Detects a highly relevant Antivirus alert that reports a password dumper.
 5references:
 6    - https://www.nextron-systems.com/?s=antivirus
 7    - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
 8    - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
 9author: Florian Roth (Nextron Systems)
10date: 2018-09-09
11modified: 2024-10-08
12tags:
13    - attack.credential-access
14    - attack.t1003
15    - attack.t1558
16    - attack.t1003.001
17    - attack.t1003.002
18logsource:
19    category: antivirus
20detection:
21    selection:
22        - Signature|startswith: 'PWS'
23        - Signature|contains:
24              - 'DCSync'
25              - 'DumpCreds'
26              - 'DumpLsass'
27              - 'HTool/WCE'
28              - 'Kekeo'
29              - 'LsassDump'
30              - 'Mimikatz'
31              - 'Outflank'
32              - 'PShlSpy'
33              - 'PSWTool'
34              - 'PWCrack'
35              - 'PWDump'
36              - 'PWS.'
37              - 'PWSX'
38              - 'Rubeus'
39              - 'SecurityTool'
40              - 'SharpDump'
41    condition: selection
42falsepositives:
43    - Unlikely
44level: critical

References

Related rules

to-top