Techniques
Sample rules
Credential Dumping Tools Service Execution - Security
- source: sigma
- technicques:
- t1003
- t1003.001
- t1003.002
- t1003.004
- t1003.005
- t1003.006
- t1569
- t1569.002
Description
Detects well-known credential dumping tools execution via service execution events
Detection logic
condition: selection
selection:
EventID: 4697
ServiceFileName|contains:
- cachedump
- dumpsvc
- fgexec
- gsecdump
- mimidrv
- pwdump
- servpw
Credential Dumping Tools Service Execution - System
- source: sigma
- technicques:
- t1003
- t1003.001
- t1003.002
- t1003.004
- t1003.005
- t1003.006
- t1569
- t1569.002
Description
Detects well-known credential dumping tools execution via service execution events
Detection logic
condition: selection
selection:
EventID: 7045
ImagePath|contains:
- cachedump
- dumpsvc
- fgexec
- gsecdump
- mimidrv
- pwdump
- servpw
Provider_Name: Service Control Manager