HackTool - SafetyKatz Dump Indicator
Detects default lsass dump filename generated by SafetyKatz.
Sigma rule (View on GitHub)
1title: HackTool - SafetyKatz Dump Indicator
2id: e074832a-eada-4fd7-94a1-10642b130e16
3status: test
4description: Detects default lsass dump filename generated by SafetyKatz.
5references:
6 - https://github.com/GhostPack/SafetyKatz
7 - https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63
8author: Markus Neis
9date: 2018-07-24
10modified: 2024-06-27
11tags:
12 - attack.credential-access
13 - attack.t1003.001
14logsource:
15 category: file_event
16 product: windows
17detection:
18 selection:
19 TargetFilename|endswith: '\Temp\debug.bin'
20 condition: selection
21falsepositives:
22 - Rare legitimate files with similar filename structure
23level: high
References
-
SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader - GhostPack/SafetyKatz
Read More -
SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader - GhostPack/SafetyKatz
Read More
Related rules
- APT31 Judgement Panda Activity
- Cred Dump Tools Dropped Files
- Credential Dumping Activity By Python Based Tool
- Credential Dumping Attempt Via WerFault
- Credential Dumping Tools Service Execution - Security