Detectionhightest
HackTool - Quarks PwDump Execution
Detects usage of the Quarks PwDump tool via commandline arguments
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Mon Sep 05Updated Sun Feb 050685b176-c816-4837-8e7b-1216f346636bwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_img:
Image|endswith: '\QuarksPwDump.exe'
selection_cli:
CommandLine:
- ' -dhl'
- ' --dump-hash-local'
- ' -dhdc'
- ' --dump-hash-domain-cached'
- ' --dump-bitlocker'
- ' -dhd '
- ' --dump-hash-domain '
- '--ntds-file'
condition: 1 of selection_*False Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
0685b176-c816-4837-8e7b-1216f346636b
Status
test
Level
high
Type
Detection
Created
Mon Sep 05
Modified
Sun Feb 05
Path
rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml
Raw Tags
attack.credential-accessattack.t1003.002