security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/windows/builtin/security/win_security_mal_creddumper.yml
T
frack113 4631d0c482 remove invalid tag
2022-01-19 18:23:30 +01:00

40 lines
1.1 KiB
YAML
Raw Blame History

title: Credential Dumping Tools Service Execution
id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
related:
- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
type: derived
description: Detects well-known credential dumping tools execution via service execution events
status: experimental
author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017/03/05
modified: 2021/09/21
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
- attack.credential_access
- attack.execution
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
- attack.t1569.002
- attack.s0005
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
ServiceFileName|contains:
- 'fgexec'
- 'dumpsvc'
- 'cachedump'
- 'mimidrv'
- 'gsecdump'
- 'servpw'
- 'pwdump'
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
level: high
Reference in New Issue View Git Blame Copy Permalink