Dropping Of Password Filter DLL

Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS

Sigma rule (View on GitHub)

 1title: Dropping Of Password Filter DLL
 2id: b7966f4a-b333-455b-8370-8ca53c229762
 3status: test
 4description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
 5references:
 6    - https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/
 7    - https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter
 8author: Sreeman
 9date: 2020/10/29
10modified: 2022/10/09
11tags:
12    - attack.credential_access
13    - attack.t1556.002
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_cmdline:
19        CommandLine|contains|all:
20            - 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa'
21            - 'scecli\0*'
22            - 'reg add'
23    condition: selection_cmdline
24falsepositives:
25    - Unknown
26level: medium

References

Related rules

to-top