Credential Dumping Tools Service Execution - System

Aug 12, 2024 · attack.credential-access attack.execution attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 attack.t1003.006 attack.t1569.002 attack.s0005 ·

Share on:

Detects well-known credential dumping tools execution via service execution events

Sigma rule (View on GitHub)

 1title: Credential Dumping Tools Service Execution - System
 2id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
 3status: test
 4description: Detects well-known credential dumping tools execution via service execution events
 5references:
 6    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 7author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
 8date: 2017-03-05
 9modified: 2022-11-29
10tags:
11    - attack.credential-access
12    - attack.execution
13    - attack.t1003.001
14    - attack.t1003.002
15    - attack.t1003.004
16    - attack.t1003.005
17    - attack.t1003.006
18    - attack.t1569.002
19    - attack.s0005
20logsource:
21    product: windows
22    service: system
23detection:
24    selection:
25        Provider_Name: 'Service Control Manager'
26        EventID: 7045
27        ImagePath|contains:
28            - 'cachedump'
29            - 'dumpsvc'
30            - 'fgexec'
31            - 'gsecdump'
32            - 'mimidrv'
33            - 'pwdump'
34            - 'servpw'
35    condition: selection
36falsepositives:
37    - Legitimate Administrator using credential dumping tool for password recovery
38level: high

References

Hunting for Credentials Dumping in Windows Environment

Hunting for Credentials Dumping in Windows Environment - Download as a PDF or view online for free

Read More

Credential Dumping Tools Service Execution - System

Sigma rule (View on GitHub)

References

Hunting for Credentials Dumping in Windows Environment

Related rules