-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCredential_Dumping.yml
More file actions
138 lines (134 loc) · 3.75 KB
/
Credential_Dumping.yml
File metadata and controls
138 lines (134 loc) · 3.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
detect:
events:
- NEW_PROCESS
- EXISTING_PROCESS
- WEL
op: or
rules:
- op: and
rules:
- op: is windows
- op: and
rules:
- op: and
rules:
- case sensitive: false
op: ends with
path: event/FILE_PATH
value: \reg.exe
- case sensitive: false
op: contains
path: event/COMMAND_LINE
value: ' query '
- case sensitive: false
op: contains
path: event/COMMAND_LINE
value: '/t '
- case sensitive: false
op: contains
path: event/COMMAND_LINE
value: REG_SZ
- case sensitive: false
op: contains
path: event/COMMAND_LINE
value: /s
- op: or
rules:
- op: and
rules:
- case sensitive: false
op: contains
path: event/COMMAND_LINE
value: '/f '
- case sensitive: false
op: contains
path: event/COMMAND_LINE
value: HKLM
- op: and
rules:
- case sensitive: false
op: contains
path: event/COMMAND_LINE
value: '/f '
- case sensitive: false
op: contains
path: event/COMMAND_LINE
value: HKCU
- case sensitive: false
op: ends with
path: event/COMMAND_LINE
value: \PuTTY\Sessions
- case sensitive: false
op: contains
path: event/COMMAND_LINE
value: lsa_dump_sam
- op: and
rules:
- op: is windows
- op: and
rules:
- case sensitive: false
op: is
path: event/EVENT/System/EventID
value: '4697'
- op: or
rules:
- case sensitive: false
op: contains
path: event/EVENT/EventData/ServiceFileName
value: cachedump
- case sensitive: false
op: contains
path: event/EVENT/EventData/ServiceFileName
value: dumpsvc
- case sensitive: false
op: contains
path: event/EVENT/EventData/ServiceFileName
value: fgexec
- case sensitive: false
op: contains
path: event/EVENT/EventData/ServiceFileName
value: gsecdump
- case sensitive: false
op: contains
path: event/EVENT/EventData/ServiceFileName
value: mimidrv
- case sensitive: false
op: contains
path: event/EVENT/EventData/ServiceFileName
value: pwdump
- case sensitive: false
op: contains
path: event/EVENT/EventData/ServiceFileName
value: servpw
- op: and
rules:
- case sensitive: false
op: is
path: Event/System/EventID
value: '4657'
- case sensitive: false
op: contains
path: Event/EventData/ObjectName
value: \Microsoft\Windows Defender\Exclusions\
respond:
- action: report
metadata:
author: Sawood(TAGTREX), Shehroz(TAGTREX)
description: Credential Dumping using All in one. This rule has a capavility to detect know credential dumping tools and their services which would trigger via tools.
falsepositives:
- Unknown for registry enumeration
- Legitimate Administrator using credential dumping tool for password recovery
level: high
tags:
- attack.credential_access
- attack.t1552.002
- attack.execution
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
- attack.t1569.002
- attack.s0005
name: Credential Dumping via REG,SERVICES,TOOLS