HackTool - Credential Dumping Tools Named Pipe Created

calendar Aug 7, 2023 · attack.credential_access attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005  ·
Share on: linkedin copy

Detects well-known credential dumping tools execution via specific named pipe creation

Sigma rule (View on GitHub)

 1title: HackTool - Credential Dumping Tools Named Pipe Created
 2id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
 3status: test
 4description: Detects well-known credential dumping tools execution via specific named pipe creation
 5references:
 6    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 7    - https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799
 8author: Teymur Kheirkhabarov, oscd.community
 9date: 2019/11/01
10modified: 2023/08/07
11tags:
12    - attack.credential_access
13    - attack.t1003.001
14    - attack.t1003.002
15    - attack.t1003.004
16    - attack.t1003.005
17logsource:
18    product: windows
19    category: pipe_created
20    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
21detection:
22    selection:
23        PipeName|contains:
24            - '\cachedump'
25            - '\lsadump'
26            - '\wceservicepipe'
27    condition: selection
28falsepositives:
29    - Legitimate Administrator using tool for password recovery
30level: critical

References

  • Hunting for Credentials Dumping in Windows Environment

    Hunting for Credentials Dumping in Windows Environment - Download as a PDF or view online for free


    Read More

  • RIFFÌ‘WEBPVP8 À‘0Ã�*€>‘FžK%£¦±£sz20 enÿ«ã3¼ý‡Ì#ë`£±Y66i8ÿêΤ¬Kaˆ»ŸLÐóÏõëöøÏþù�ó~µÜóå‡×!þoÝçù]¬{wü/-n…ý'íþ‡ì÷¼ïŸì}‚ÿ½§õ™ÿs÷Þ÷ùOú~£ª¤ýÃÿ¯ð¡þßöëý¯ÂÏìŸïp¿Ü|ƒÿfÿMÿßÚûþÿ¯úŸ ¿ååÿÿ...


    Read More

Related rules

to-top