HackTool - Quarks PwDump Execution

 1title: HackTool - Quarks PwDump Execution
 2id: 0685b176-c816-4837-8e7b-1216f346636b
 3status: test
 4description: Detects usage of the Quarks PwDump tool via commandline arguments
 5references:
 6    - https://github.com/quarkslab/quarkspwdump
 7    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-09-05
10modified: 2023-02-05
11tags:
12    - attack.credential-access
13    - attack.t1003.002
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        Image|endswith: '\QuarksPwDump.exe'
20    selection_cli:
21        CommandLine:
22            - ' -dhl'
23            - ' --dump-hash-local'
24            - ' -dhdc'
25            - ' --dump-hash-domain-cached'
26            - ' --dump-bitlocker'
27            - ' -dhd '
28            - ' --dump-hash-domain '
29            - '--ntds-file'
30    condition: 1 of selection_*
31falsepositives:
32    - Unlikely
33level: high

References

• GitHub - quarkslab/quarkspwdump: Dump various types of Windows credentials without injecting in any process.

  

  Dump various types of Windows credentials without injecting in any process. - quarkslab/quarkspwdump

  
  Read More

• Seedworm: Iran-Linked Group Continues to Target Organizations in the Middle East

  

  Group continues to be highly active in 2020, while tentative links to recently discovered PowGoop tool suggest possible retooling.

  
  Read More

Related rules

• Copying Sensitive Files with Credential Data
• Cred Dump Tools Dropped Files
• Credential Dumping Tools Service Execution - Security
• Credential Dumping Tools Service Execution - System
• Critical Hive In Suspicious Location Access Bits Cleared