Credential Dumping Tools Service Execution - Security

Detects well-known credential dumping tools execution via service execution events

Sigma rule (View on GitHub)

 1title: Credential Dumping Tools Service Execution - Security
 2id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
 3related:
 4    - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
 5      type: derived
 6status: test
 7description: Detects well-known credential dumping tools execution via service execution events
 8references:
 9    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
10author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
11date: 2017-03-05
12modified: 2022-11-29
13tags:
14    - attack.credential-access
15    - attack.execution
16    - attack.t1003.001
17    - attack.t1003.002
18    - attack.t1003.004
19    - attack.t1003.005
20    - attack.t1003.006
21    - attack.t1569.002
22    - attack.s0005
23logsource:
24    product: windows
25    service: security
26    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
27detection:
28    selection:
29        EventID: 4697
30        ServiceFileName|contains:
31            - 'cachedump'
32            - 'dumpsvc'
33            - 'fgexec'
34            - 'gsecdump'
35            - 'mimidrv'
36            - 'pwdump'
37            - 'servpw'
38    condition: selection
39falsepositives:
40    - Legitimate Administrator using credential dumping tool for password recovery
41level: high

References

Related rules

to-top