blue-team-tools/rules/windows/builtin/win_mal_creddumper.yml

action: global
title: Malicious Service Install
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
description: This method detects well-known keywords of malicious services in the Windows System Eventlog
author: Florian Roth
tags:
    - attack.credential_access
    - attack.t1003
    - attack.s0005
logsource:
    product: windows
    service: system
detection:
    selection1:
        EventID: 
          - 7045
    keywords:
        Message:
          - '*WCE SERVICE*'
          - '*WCESERVICE*'
          - '*DumpSvc*'
    quarkspwdump:
        EventID: 16
        HiveName: '*\AppData\Local\Temp\SAM*.dmp'
    condition: ( selection1 and keywords ) or ( selection2 and keywords ) or quarkspwdump
falsepositives:
    - Unlikely
level: high
---
logsource:
    product: windows
    service: security
detection:
    selection2:
        EventID: 4697