HackTool - SafetyKatz Execution
Detects the execution of the hacktool SafetyKatz via PE information and default Image name
Sigma rule (View on GitHub)
1title: HackTool - SafetyKatz Execution
2id: b1876533-4ed5-4a83-90f3-b8645840a413
3status: test
4description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name
5references:
6 - https://github.com/GhostPack/SafetyKatz
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/10/20
9modified: 2023/02/04
10tags:
11 - attack.credential_access
12 - attack.t1003.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 - Image|endswith: '\SafetyKatz.exe'
19 - OriginalFileName: 'SafetyKatz.exe'
20 - Description: 'SafetyKatz'
21 condition: selection
22falsepositives:
23 - Unlikely
24level: critical
References
-
SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader - GhostPack/SafetyKatz
Read More
Related rules
- HackTool - Inveigh Execution
- NotPetya Ransomware Activity
- LSASS Process Memory Dump Creation Via Taskmgr.EXE
- Antivirus Password Dumper Detection
- Cred Dump Tools Dropped Files