Cred Dump Tools Dropped Files
Files with well-known filenames (parts of credential dump software or files produced by them) creation
Sigma rule (View on GitHub)
1title: Cred Dump Tools Dropped Files
2id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
3status: test
4description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
5references:
6 - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
7author: Teymur Kheirkhabarov, oscd.community
8date: 2019/11/01
9modified: 2022/09/21
10tags:
11 - attack.credential_access
12 - attack.t1003.001
13 - attack.t1003.002
14 - attack.t1003.003
15 - attack.t1003.004
16 - attack.t1003.005
17logsource:
18 category: file_event
19 product: windows
20detection:
21 selection:
22 - TargetFilename|contains:
23 - '\fgdump-log'
24 - '\kirbi'
25 - '\pwdump'
26 - '\pwhashes'
27 - '\wce_ccache'
28 - '\wce_krbtkts'
29 - TargetFilename|endswith:
30 - '\cachedump.exe'
31 - '\cachedump64.exe'
32 - '\DumpExt.dll'
33 - '\DumpSvc.exe'
34 - '\Dumpy.exe'
35 - '\fgexec.exe'
36 - '\lsremora.dll'
37 - '\lsremora64.dll'
38 - '\NTDS.out'
39 - '\procdump64.exe'
40 - '\pstgdump.exe'
41 - '\pwdump.exe'
42 - '\SAM.out'
43 - '\SECURITY.out'
44 - '\servpw.exe'
45 - '\servpw64.exe'
46 - '\SYSTEM.out'
47 - '\test.pwd'
48 - '\wceaux.dll'
49 condition: selection
50falsepositives:
51 - Legitimate Administrator using tool for password recovery
52level: high
References
-
Hunting for Credentials Dumping in Windows Environment - Download as a PDF or view online for free
Read More
Related rules
- HackTool - Mimikatz Execution
- Credential Dumping Tools Service Execution - System
- Credential Dumping Tools Service Execution - Security
- HackTool - Credential Dumping Tools Named Pipe Created
- Mimikatz Command Line With Ticket Export