Credential Dumping Tools Service Execution - System

Detects well-known credential dumping tools execution via service execution events

Sigma rule (View on GitHub)

 1title: Credential Dumping Tools Service Execution - System
 2id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
 3status: test
 4description: Detects well-known credential dumping tools execution via service execution events
 5references:
 6    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 7author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
 8date: 2017/03/05
 9modified: 2022/11/29
10tags:
11    - attack.credential_access
12    - attack.execution
13    - attack.t1003.001
14    - attack.t1003.002
15    - attack.t1003.004
16    - attack.t1003.005
17    - attack.t1003.006
18    - attack.t1569.002
19    - attack.s0005
20logsource:
21    product: windows
22    service: system
23detection:
24    selection:
25        Provider_Name: 'Service Control Manager'
26        EventID: 7045
27        ImagePath|contains:
28            - 'cachedump'
29            - 'dumpsvc'
30            - 'fgexec'
31            - 'gsecdump'
32            - 'mimidrv'
33            - 'pwdump'
34            - 'servpw'
35    condition: selection
36falsepositives:
37    - Legitimate Administrator using credential dumping tool for password recovery
38level: high

References

Related rules

to-top