QuarksPwDump Dump File
Detects a dump file written by QuarksPwDump password dumper
Sigma rule (View on GitHub)
1title: QuarksPwDump Dump File
2id: 847def9e-924d-4e90-b7c4-5f581395a2b4
3status: test
4description: Detects a dump file written by QuarksPwDump password dumper
5references:
6 - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
7author: Florian Roth (Nextron Systems)
8date: 2018/02/10
9modified: 2021/11/27
10tags:
11 - attack.credential_access
12 - attack.t1003.002
13logsource:
14 category: file_event
15 product: windows
16detection:
17 selection:
18 TargetFilename|contains|all:
19 - '\AppData\Local\Temp\SAM-'
20 - '.dmp'
21 condition: selection
22falsepositives:
23 - Unknown
24level: critical
References
-
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create. LogonGuid/LogonId: ID of the logon session ParentProcessGuid/ParentProcessId: Process ID of the parent ...
Read More
Related rules
- HackTool - Pypykatz Credentials Dumping Activity
- Mimikatz Use
- Mimikatz Command Line With Ticket Export
- Transferring Files with Credential Data via Network Shares - Zeek
- Esentutl Volume Shadow Copy Service Keys