blue-team-tools/rules/windows/builtin/win_mal_creddumper.yml

---
action: global
title: Credential Dumping Tools Service Execution
description: Detects well-known credential dumping tools execution via service execution events
author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
date: 2017/03/05
modified: 2020/08/23
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
    - attack.credential_access
    - attack.execution
    - attack.t1003          # an old one
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
    - attack.t1003.006
    - attack.t1035          # an old one
    - attack.t1569.002
    - attack.s0005
detection:
    selection_1:
        - ServiceName|contains:
            - 'fgexec'
            - 'wceservice'
            - 'wce service'
            - 'pwdump'
            - 'gsecdump'
            - 'cachedump'
            - 'mimikatz'
            - 'mimidrv'
        - ImagePath|contains:
            - 'fgexec'
            - 'dumpsvc'
            - 'cachedump'
            - 'mimidrv'
            - 'gsecdump'
            - 'servpw'
            - 'pwdump'
        - ImagePath|re: '((\\\\.*\\.*|.*\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\.(exe|scr|cpl|bat|js|cmd|vbs).*)'
    condition: selection and selection_1
falsepositives:
    - Legitimate Administrator using credential dumping tool for password recovery
level: high
---
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 7045
---
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 6
---
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4697