LoFP / tools that use similar command line flags and values

Techniques

• t1110
• t1110.002

Sample rules

HackTool - Hashcat Password Cracker Execution

• source: sigma
• technicques:
  • t1110
  • t1110.002

Description

Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against

Detection logic

condition: 1 of selection_*
selection_cli:
  CommandLine|contains|all:
  - '-a '
  - '-m 1000 '
  - '-r '
selection_img:
  Image|endswith: \hashcat.exe