HackTool - QuarksPwDump Dump File
Detects a dump file written by QuarksPwDump password dumper
Sigma rule (View on GitHub)
1title: HackTool - QuarksPwDump Dump File
2id: 847def9e-924d-4e90-b7c4-5f581395a2b4
3status: test
4description: Detects a dump file written by QuarksPwDump password dumper
5references:
6 - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
7author: Florian Roth (Nextron Systems)
8date: 2018-02-10
9modified: 2024-06-27
10tags:
11 - attack.credential-access
12 - attack.t1003.002
13logsource:
14 category: file_event
15 product: windows
16detection:
17 selection:
18 TargetFilename|contains|all:
19 - '\AppData\Local\Temp\SAM-'
20 - '.dmp'
21 condition: selection
22falsepositives:
23 - Unknown
24level: critical
References
-
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create. LogonGuid/LogonId: ID of the logon session ParentProcessGuid/ParentProcessId: Process ID of the parent ...
Read More
Related rules
- Copying Sensitive Files with Credential Data
- Cred Dump Tools Dropped Files
- Credential Dumping Tools Service Execution - Security
- Credential Dumping Tools Service Execution - System
- Critical Hive In Suspicious Location Access Bits Cleared