Techniques
Sample rules
Cred Dump Tools Dropped Files
- source: sigma
- technicques:
- t1003
- t1003.001
- t1003.002
- t1003.003
- t1003.004
- t1003.005
Description
Files with well-known filenames (parts of credential dump software or files produced by them) creation
Detection logic
condition: selection
selection:
- TargetFilename|contains:
- \fgdump-log
- \kirbi
- \pwdump
- \pwhashes
- \wce_ccache
- \wce_krbtkts
- TargetFilename|endswith:
- \cachedump.exe
- \cachedump64.exe
- \DumpExt.dll
- \DumpSvc.exe
- \Dumpy.exe
- \fgexec.exe
- \lsremora.dll
- \lsremora64.dll
- \NTDS.out
- \procdump64.exe
- \pstgdump.exe
- \pwdump.exe
- \SAM.out
- \SECURITY.out
- \servpw.exe
- \servpw64.exe
- \SYSTEM.out
- \test.pwd
- \wceaux.dll
HackTool - Credential Dumping Tools Named Pipe Created
- source: sigma
- technicques:
- t1003
- t1003.001
- t1003.002
- t1003.004
- t1003.005
Description
Detects well-known credential dumping tools execution via specific named pipe creation
Detection logic
condition: selection
selection:
PipeName|contains:
- \cachedump
- \lsadump
- \wceservicepipe