Cred Dump Tools Dropped Files

calendar Nov 26, 2025 · attack.credential-access attack.t1003.001 attack.t1003.002 attack.t1003.003 attack.t1003.004 attack.t1003.005  ·
Share on: linkedin copy

Files with well-known filenames (parts of credential dump software or files produced by them) creation

Sigma rule (View on GitHub)

 1title: Cred Dump Tools Dropped Files
 2id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
 3status: test
 4description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
 5references:
 6    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 7author: Teymur Kheirkhabarov, oscd.community
 8date: 2019-11-01
 9modified: 2025-10-25
10tags:
11    - attack.credential-access
12    - attack.t1003.001
13    - attack.t1003.002
14    - attack.t1003.003
15    - attack.t1003.004
16    - attack.t1003.005
17logsource:
18    category: file_event
19    product: windows
20detection:
21    selection:
22        - TargetFilename|contains:
23              - '\fgdump-log'
24              - '\kirbi'
25              - '\pwdump'
26              - '\pwhashes'
27              - '\wce_ccache'
28              - '\wce_krbtkts'
29        - TargetFilename|endswith:
30              - '\cachedump.exe'
31              - '\cachedump64.exe'
32              - '\DumpExt.dll'
33              - '\DumpSvc.exe'
34              - '\Dumpy.exe'
35              - '\fgexec.exe'
36              - '\lsremora.dll'
37              - '\lsremora64.dll'
38              - '\NTDS.out'
39              - '\procdump.exe'
40              - '\procdump64.exe'
41              - '\procdump64a.exe'
42              - '\pstgdump.exe'
43              - '\pwdump.exe'
44              - '\SAM.out'
45              - '\SECURITY.out'
46              - '\servpw.exe'
47              - '\servpw64.exe'
48              - '\SYSTEM.out'
49              - '\test.pwd'
50              - '\wceaux.dll'
51    condition: selection
52falsepositives:
53    - Legitimate Administrator using tool for password recovery
54level: high
55regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml

References

  • Hunting for Credentials Dumping in Windows Environment

    The document discusses credential dumping techniques in Windows environments, highlighting methods used by various threat actor groups to extract sensitive information from systems, including tools like Mimikatz and WCE. It emphasizes the importance of detecting such activities through system logs (Sysmon and Windows Event Logs) and outlines potential data sources such as LSASS memory, SAM registry hives, and other offline methods. Additionally, it touches on the use of native Windows features for monitoring and auditing access to sensitive data, providing practical guidance for detecting credential extraction attempts. - Download as a PDF, PPTX or view online for free


    Read More

Related rules

to-top