Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Credential Dumping Tools Service Execution - Security

Detects well-known credential dumping tools execution via service execution events

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.communityCreated Sun Mar 05Updated Tue Nov 29f0d1feba-4344-4ca9-8121-a6c97bd6df52windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security

Definition

The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains:
            - 'cachedump'
            - 'dumpsvc'
            - 'fgexec'
            - 'gsecdump'
            - 'mimidrv'
            - 'pwdump'
            - 'servpw'
    condition: selection
False Positives

Legitimate Administrator using credential dumping tool for password recovery

References
1
Resolving title…
slideshare.net
MITRE ATT&CK
Related Rules
DerivedDetectionhigh

Credential Dumping Tools Service Execution - System

Detects well-known credential dumping tools execution via service execution events

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
f0d1feba-4344-4ca9-8121-a6c97bd6df52
Status
test
Level
high
Type
Detection
Created
Sun Mar 05
Modified
Tue Nov 29
Author
Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
Path
rules/windows/builtin/security/win_security_mal_creddumper.yml
Raw Tags
attack.credential-accessattack.executionattack.t1003.001attack.t1003.002attack.t1003.004attack.t1003.005attack.t1003.006attack.t1569.002attack.s0005
View on GitHub