HackTool - Pypykatz Credentials Dumping Activity
Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored
Sigma rule (View on GitHub)
1title: HackTool - Pypykatz Credentials Dumping Activity
2id: a29808fd-ef50-49ff-9c7a-59a9b040b404
3status: test
4description: Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored
5references:
6 - https://github.com/skelsec/pypykatz
7 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz
8author: frack113
9date: 2022/01/05
10modified: 2023/02/05
11tags:
12 - attack.credential_access
13 - attack.t1003.002
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith:
20 - \pypykatz.exe
21 - \python.exe
22 CommandLine|contains|all:
23 - 'live'
24 - 'registry'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- Mimikatz Use
- Mimikatz Command Line With Ticket Export
- Transferring Files with Credential Data via Network Shares - Zeek
- Esentutl Volume Shadow Copy Service Keys
- Possible Impacket SecretDump Remote Activity - Zeek