HackTool - NPPSpy Hacktool Usage

Aug 12, 2024 · attack.credential-access ·

Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file

Sigma rule (View on GitHub)

 1title: HackTool - NPPSpy Hacktool Usage
 2id: cad1fe90-2406-44dc-bd03-59d0b58fe722
 3status: test
 4description: Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy
 7    - https://twitter.com/0gtweet/status/1465282548494487554
 8author: Florian Roth (Nextron Systems)
 9date: 2021-11-29
10modified: 2024-06-27
11tags:
12    - attack.credential-access
13logsource:
14    product: windows
15    category: file_event
16detection:
17    selection:
18        TargetFilename|endswith:
19            - '\NPPSpy.txt'
20            - '\NPPSpy.dll'
21    condition: selection
22falsepositives:
23    - Unknown
24level: high

References

atomic-red-team/atomics/T1003/T1003.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More
x.com

Read More

HackTool - NPPSpy Hacktool Usage

Sigma rule (View on GitHub)

References

atomic-red-team/atomics/T1003/T1003.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

x.com

Related rules