Antivirus Password Dumper Detection
Detects a highly relevant Antivirus alert that reports a password dumper.
Sigma rule (View on GitHub)
1title: Antivirus Password Dumper Detection
2id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
3status: stable
4description: Detects a highly relevant Antivirus alert that reports a password dumper.
5references:
6 - https://www.nextron-systems.com/?s=antivirus
7 - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
8 - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
9author: Florian Roth (Nextron Systems)
10date: 2018-09-09
11modified: 2024-10-08
12tags:
13 - attack.credential-access
14 - attack.t1003
15 - attack.t1558
16 - attack.t1003.001
17 - attack.t1003.002
18logsource:
19 category: antivirus
20detection:
21 selection:
22 - Signature|startswith: 'PWS'
23 - Signature|contains:
24 - 'DCSync'
25 - 'DumpCreds'
26 - 'DumpLsass'
27 - 'HTool/WCE'
28 - 'Kekeo'
29 - 'LsassDump'
30 - 'Mimikatz'
31 - 'Outflank'
32 - 'PShlSpy'
33 - 'PSWTool'
34 - 'PWCrack'
35 - 'PWDump'
36 - 'PWS.'
37 - 'PWSX'
38 - 'Rubeus'
39 - 'SecurityTool'
40 - 'SharpDump'
41 condition: selection
42falsepositives:
43 - Unlikely
44level: critical
References
Related rules
- Cred Dump Tools Dropped Files
- Credential Dumping Tools Service Execution - Security
- Credential Dumping Tools Service Execution - System
- HackTool - Credential Dumping Tools Named Pipe Created
- HackTool - Mimikatz Execution