SafetyKatz Default Dump Filename
Detects default lsass dump filename from SafetyKatz
Sigma rule (View on GitHub)
1title: SafetyKatz Default Dump Filename
2id: e074832a-eada-4fd7-94a1-10642b130e16
3status: test
4description: Detects default lsass dump filename from SafetyKatz
5references:
6 - https://github.com/GhostPack/SafetyKatz
7 - https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63
8author: Markus Neis
9date: 2018/07/24
10modified: 2021/11/27
11tags:
12 - attack.credential_access
13 - attack.t1003.001
14logsource:
15 category: file_event
16 product: windows
17detection:
18 selection:
19 TargetFilename|endswith: '\Temp\debug.bin'
20 condition: selection
21falsepositives:
22 - Rare legitimate files with similar filename structure
23level: high
References
Related rules
- Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
- HackTool - CreateMiniDump Execution
- HackTool - Dumpert Process Dumper Execution
- Mimikatz Use
- PowerShell Get-Process LSASS in ScriptBlock