Detectioncriticaltest

HackTool - QuarksPwDump Dump File

Detects a dump file written by QuarksPwDump password dumper

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems)Created Sat Feb 10Updated Thu Jun 27847def9e-924d-4e90-b7c4-5f581395a2b4windows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|contains|all:
            - '\AppData\Local\Temp\SAM-'
            - '.dmp'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

847def9e-924d-4e90-b7c4-5f581395a2b4

Status

test

Level

critical

Type

Detection

Created

Sat Feb 10

Modified

Thu Jun 27

Author

Path

rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml

Raw Tags

attack.credential-accessattack.t1003.002