NPPSpy Hacktool Usage
Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file
Sigma rule (View on GitHub)
1title: NPPSpy Hacktool Usage
2id: cad1fe90-2406-44dc-bd03-59d0b58fe722
3status: test
4description: Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy
7 - https://twitter.com/0gtweet/status/1465282548494487554
8author: Florian Roth (Nextron Systems)
9date: 2021/11/29
10modified: 2022/12/25
11tags:
12 - attack.credential_access
13logsource:
14 product: windows
15 category: file_event
16detection:
17 selection:
18 TargetFilename|endswith:
19 - '\NPPSpy.txt'
20 - '\NPPSpy.dll'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Related rules
- Credentials from Password Stores - Keychain
- Guacamole Two Users Sharing Session Anomaly
- Hack Tool User Agent
- Mimikatz Use
- PowerShell Credential Prompt