Dropping Of Password Filter DLL
Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
Sigma rule (View on GitHub)
1title: Dropping Of Password Filter DLL
2id: b7966f4a-b333-455b-8370-8ca53c229762
3status: test
4description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
5references:
6 - https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/
7 - https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter
8author: Sreeman
9date: 2020-10-29
10modified: 2022-10-09
11tags:
12 - attack.credential-access
13 - attack.t1556.002
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_cmdline:
19 CommandLine|contains|all:
20 - 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa'
21 - 'scecli\0*'
22 - 'reg add'
23 condition: selection_cmdline
24falsepositives:
25 - Unknown
26level: medium
References
Related rules
- Potential Suspicious Activity Using SeCEdit
- Powershell Install a DLL in System Directory
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- ADCS Certificate Template Configuration Vulnerability