Potential Remote Credential Dumping Activity
Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
Sigma rule (View on GitHub)
1title: Potential Remote Credential Dumping Activity
2id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
3status: test
4description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
5references:
6 - https://github.com/Porchetta-Industries/CrackMapExec
7 - https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py
8author: SecurityAura
9date: 2022/11/16
10modified: 2023/01/05
11tags:
12 - attack.credential_access
13 - attack.t1003
14logsource:
15 product: windows
16 category: file_event
17detection:
18 selection:
19 Image|endswith: '\svchost.exe'
20 # CommandLine|contains: 'RemoteRegistry' # Uncomment this line if you collect CommandLine data for files events from more accuracy
21 TargetFilename|re: '\\Windows\\System32\\[a-zA-Z0-9]{8}\.tmp$'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
-
A swiss army knife for pentesting networks. Contribute to byt3bl33d3r/CrackMapExec development by creating an account on GitHub.
Read More -
Impacket is a collection of Python classes for working with network protocols. - fortra/impacket
Read More
Related rules
- Antivirus Password Dumper Detection
- HackTool - Rubeus Execution
- Potential Credential Dumping Attempt Using New NetworkProvider - REG
- Shadow Copies Creation Using Operating Systems Utilities
- Potential Credential Dumping Via LSASS Process Clone