HackTool - Pypykatz Credentials Dumping Activity
Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored
Sigma rule (View on GitHub)
1title: HackTool - Pypykatz Credentials Dumping Activity
2id: a29808fd-ef50-49ff-9c7a-59a9b040b404
3status: test
4description: Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored
5references:
6 - https://github.com/skelsec/pypykatz
7 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz
8author: frack113
9date: 2022-01-05
10modified: 2023-02-05
11tags:
12 - attack.credential-access
13 - attack.t1003.002
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith:
20 - \pypykatz.exe
21 - \python.exe
22 CommandLine|contains|all:
23 - 'live'
24 - 'registry'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
-
Mimikatz implementation in pure Python. Contribute to skelsec/pypykatz development by creating an account on GitHub.
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Copying Sensitive Files with Credential Data
- Cred Dump Tools Dropped Files
- Credential Dumping Tools Service Execution - Security
- Credential Dumping Tools Service Execution - System
- Critical Hive In Suspicious Location Access Bits Cleared