security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/windows/builtin/system/win_mal_creddumper.yml
T
frack113 4631d0c482 remove invalid tag
2022-01-19 18:23:30 +01:00

38 lines
1.1 KiB
YAML
Raw Blame History

title: Credential Dumping Tools Service Execution
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
description: Detects well-known credential dumping tools execution via service execution events
status: experimental
author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017/03/05
modified: 2021/11/30
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
- attack.credential_access
- attack.execution
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
- attack.t1569.002
- attack.s0005
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains:
- 'fgexec'
- 'dumpsvc'
- 'cachedump'
- 'mimidrv'
- 'gsecdump'
- 'servpw'
- 'pwdump'
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
level: high
Reference in New Issue View Git Blame Copy Permalink