Credential Dumping Attempt Via Svchost

calendar Aug 12, 2024 · attack.t1548  ·
Share on: linkedin copy

Detects when a process tries to access the memory of svchost to potentially dump credentials.

Sigma rule (View on GitHub)

 1title: Credential Dumping Attempt Via Svchost
 2id: 174afcfa-6e40-4ae9-af64-496546389294
 3status: test
 4description: Detects when a process tries to access the memory of svchost to potentially dump credentials.
 5references:
 6    - Internal Research
 7author: Florent Labouyrie
 8date: 2021-04-30
 9modified: 2022-10-09
10tags:
11    - attack.t1548
12logsource:
13    product: windows
14    category: process_access
15detection:
16    selection:
17        TargetImage|endswith: '\svchost.exe'
18        GrantedAccess: '0x143a'
19    filter_main_known_processes:
20        SourceImage|endswith:
21            - '\services.exe'
22            - '\msiexec.exe'
23    condition: selection and not 1 of filter_main_*
24falsepositives:
25    - Unknown
26level: high

References

Related rules

to-top