Sigma rules for APT41
512 rules · scoped to actor · back to APT41
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: HackTool - CreateMiniDump Execution
id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
status: test
description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
references:
- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
author: Florian Roth (Nextron Systems)
date: 2019-12-22
modified: 2024-11-23
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\CreateMiniDump.exe'
- Hashes|contains: 'IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
related:
- id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
type: similar
status: experimental
description: |
Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace.
These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll,
dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.
references:
- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpwritedump
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
tags:
- attack.credential-access
- attack.defense-impairment
- attack.t1003.001
- attack.t1685
logsource:
category: process_access
product: windows
detection:
selection_lsass_calltrace:
TargetImage|endswith: '\lsass.exe'
CallTrace|contains:
- 'dbgcore.dll'
- 'dbghelp.dll'
# The following selection is commented out and not enabled by default because any access to LSASS with dbgcore.dll or dbghelp.dll in the call trace from uncommon locations is assumed to be suspicious,
# but it may reduce false positives if the rule is too noisy. These GrantedAccess bits are commonly used for dumping LSASS memory.
# Uncomment if you observe false positives with the default rule.
# selection_granted_access:
# GrantedAccess|contains:
# - '0x1fffff'
# - '0x10'
# - '0x1010'
# - '0x1410'
# - '0x1438'
selection_susp_location:
SourceImage|contains:
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Public\'
- '\$Recycle.Bin\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Desktop\'
- '\Documents\'
- '\Downloads\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\wwwroot\'
- '\Music\'
- '\Pictures\'
- '\Start Menu\Programs\Startup\'
- '\Users\Default\'
- '\Videos\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Possibly during software installation or update processes
level: high
regression_tests_path: regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/info.yml
title: Lsass Memory Dump via Comsvcs DLL
id: a49fa4d5-11db-418c-8473-1e014a8dd462
status: test
description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
references:
- https://twitter.com/shantanukhande/status/1229348874298388484
- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-20
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|endswith: '\rundll32.exe'
CallTrace|contains: 'comsvcs.dll'
condition: selection
falsepositives:
- Unknown
level: high
title: LSASS Memory Access by Tool With Dump Keyword In Name
id: 9bd012ee-0dff-44d7-84a0-aa698cfd87a3
status: test
description: Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
references:
- https://twitter.com/_xpn_/status/1491557187168178176
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|contains: 'dump'
GrantedAccess|endswith:
- '10'
- '30'
- '50'
- '70'
- '90'
- 'B0'
- 'D0'
- 'F0'
- '18'
- '38'
- '58'
- '78'
- '98'
- 'B8'
- 'D8'
- 'F8'
- '1A'
- '3A'
- '5A'
- '7A'
- '9A'
- 'BA'
- 'DA'
- 'FA'
- '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
- 'FF'
condition: selection
falsepositives:
- Rare programs that contain the word dump in their name and access lsass
level: high
title: Remote LSASS Process Access Through Windows Remote Management
id: aa35a627-33fb-4d04-a165-d33b4afca3e8
status: stable
description: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
references:
- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
author: Patryk Prauze - ING Tech
date: 2019-05-20
modified: 2023-11-29
tags:
- attack.credential-access
- attack.execution
- attack.t1003.001
- attack.t1059.001
- attack.lateral-movement
- attack.t1021.006
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|endswith: ':\Windows\system32\wsmprovhost.exe'
filter_main_access:
GrantedAccess: '0x80000000'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
title: HackTool - Generic Process Access
id: d0d2f720-d14f-448d-8242-51ff396a334e
status: test
description: Detects process access requests from hacktool processes based on their default image name
references:
- https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158
- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023-11-27
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
- SourceImage|endswith:
- '\Akagi.exe'
- '\Akagi64.exe'
- '\atexec_windows.exe'
- '\Certify.exe'
- '\Certipy.exe'
- '\CoercedPotato.exe'
- '\crackmapexec.exe'
- '\CreateMiniDump.exe'
- '\dcomexec_windows.exe'
- '\dpapi_windows.exe'
- '\findDelegation_windows.exe'
- '\GetADUsers_windows.exe'
- '\GetNPUsers_windows.exe'
- '\getPac_windows.exe'
- '\getST_windows.exe'
- '\getTGT_windows.exe'
- '\GetUserSPNs_windows.exe'
- '\gmer.exe'
- '\hashcat.exe'
- '\htran.exe'
- '\ifmap_windows.exe'
- '\impersonate.exe'
- '\Inveigh.exe'
- '\LocalPotato.exe'
- '\mimikatz_windows.exe'
- '\mimikatz.exe'
- '\netview_windows.exe'
- '\nmapAnswerMachine_windows.exe'
- '\opdump_windows.exe'
- '\PasswordDump.exe'
- '\Potato.exe'
- '\PowerTool.exe'
- '\PowerTool64.exe'
- '\psexec_windows.exe'
- '\PurpleSharp.exe'
- '\pypykatz.exe'
- '\QuarksPwDump.exe'
- '\rdp_check_windows.exe'
- '\Rubeus.exe'
- '\SafetyKatz.exe'
- '\sambaPipe_windows.exe'
- '\SelectMyParent.exe'
- '\SharpChisel.exe'
- '\SharPersist.exe'
- '\SharpEvtMute.exe'
- '\SharpImpersonation.exe'
- '\SharpLDAPmonitor.exe'
- '\SharpLdapWhoami.exe'
- '\SharpUp.exe'
- '\SharpView.exe'
- '\smbclient_windows.exe'
- '\smbserver_windows.exe'
- '\sniff_windows.exe'
- '\sniffer_windows.exe'
- '\split_windows.exe'
- '\SpoolSample.exe'
- '\Stracciatella.exe'
- '\SysmonEOP.exe'
- '\temp\rot.exe'
- '\ticketer_windows.exe'
- '\TruffleSnout.exe'
- '\winPEASany_ofs.exe'
- '\winPEASany.exe'
- '\winPEASx64_ofs.exe'
- '\winPEASx64.exe'
- '\winPEASx86_ofs.exe'
- '\winPEASx86.exe'
- '\xordump.exe'
- SourceImage|contains:
- '\goldenPac'
- '\just_dce_'
- '\karmaSMB'
- '\kintercept'
- '\LocalPotato'
- '\ntlmrelayx'
- '\rpcdump'
- '\samrdump'
- '\secretsdump'
- '\smbexec'
- '\smbrelayx'
- '\wmiexec'
- '\wmipersist'
- 'HotPotato'
- 'Juicy Potato'
- 'JuicyPotato'
- 'PetitPotam'
- 'RottenPotato'
condition: selection
falsepositives:
- Unlikely
level: high
title: LSASS Access From Potentially White-Listed Processes
id: 4be8b654-0c01-4c9d-a10c-6b28467fc651
status: test
description: |
Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
references:
- https://twitter.com/_xpn_/status/1491557187168178176
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
- https://twitter.com/mrd0x/status/1460597833917251595
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|endswith:
- '\TrolleyExpress.exe' # Citrix
- '\ProcessDump.exe' # Cisco Jabber
- '\dump64.exe' # Visual Studio
GrantedAccess|endswith:
- '10'
- '30'
- '50'
- '70'
- '90'
- 'B0'
- 'D0'
- 'F0'
- '18'
- '38'
- '58'
- '78'
- '98'
- 'B8'
- 'D8'
- 'F8'
- '1A'
- '3A'
- '5A'
- '7A'
- '9A'
- 'BA'
- 'DA'
- 'FA'
- '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
- 'FF'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious LSASS Access Via MalSecLogon
id: 472159c5-31b9-4f56-b794-b766faa8b0a7
status: test
description: Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.
references:
- https://twitter.com/SBousseaden/status/1541920424635912196
- https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml
- https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html
author: Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-29
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|endswith: '\svchost.exe'
GrantedAccess: '0x14c0'
CallTrace|contains: 'seclogon.dll'
condition: selection
falsepositives:
- Unknown
level: high
title: Credential Dumping Activity By Python Based Tool
id: f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9
related:
- id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
type: obsolete
- id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
type: obsolete
status: stable
description: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
references:
- https://twitter.com/bh4b3sh/status/1303674603819081728
- https://github.com/skelsec/pypykatz
author: Bhabesh Raj, Jonhnathan Ribeiro
date: 2023-11-27
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0349
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
CallTrace|contains|all:
- '_ctypes.pyd+'
- ':\Windows\System32\KERNELBASE.dll+'
- ':\Windows\SYSTEM32\ntdll.dll+'
CallTrace|contains:
- 'python27.dll+'
- 'python3*.dll+'
GrantedAccess: '0x1FFFFF'
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - HandleKatz Duplicating LSASS Handle
id: b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5
status: test
description: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
references:
- https://github.com/codewhitesec/HandleKatz
author: Bhabesh Raj (rule), @thefLinkk
date: 2022-06-27
modified: 2023-11-28
tags:
- attack.execution
- attack.t1106
- attack.t1003.001
- attack.credential-access
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe' # Theoretically, can be any benign process holding handle to LSASS
GrantedAccess: '0x1440' # Only PROCESS_DUP_HANDLE, PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_QUERY_INFORMATION
# Example: C:\Windows\SYSTEM32\ntdll.dll+9d234\|UNKNOWN(00000000001C119B)
CallTrace|startswith: 'C:\Windows\System32\ntdll.dll+'
CallTrace|contains: '|UNKNOWN('
CallTrace|endswith: ')'
condition: selection
falsepositives:
- Unknown
level: high
title: Credential Dumping Attempt Via WerFault
id: e5b33f7d-eb93-48b6-9851-09e1e610b6d7
status: test
description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
references:
- https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507
author: Florian Roth (Nextron Systems)
date: 2012-06-27
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
SourceImage|endswith: '\WerFault.exe'
TargetImage|endswith: '\lsass.exe'
GrantedAccess: '0x1FFFFF'
condition: selection
falsepositives:
- Actual failures in lsass.exe that trigger a crash dump (unlikely)
- Unknown cases in which WerFault accesses lsass.exe
level: high
title: Suspicious Renamed Comsvcs DLL Loaded By Rundll32
id: 8cde342c-ba48-4b74-b615-172c330f2e93
status: test
description: Detects rundll32 loading a renamed comsvcs.dll to dump process memory
references:
- https://twitter.com/sbousseaden/status/1555200155351228419
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
modified: 2023-02-17
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: image_load
detection:
selection:
Image|endswith: '\rundll32.exe'
Hashes|contains:
# Add more hashes for other windows versions
- IMPHASH=eed93054cb555f3de70eaa9787f32ebb # Windows 11 21H2 x64
- IMPHASH=5e0dbdec1fce52daae251a110b4f309d # Windows 10 1607
- IMPHASH=eadbccbb324829acb5f2bbe87e5549a8 # Windows 10 1809
- IMPHASH=407ca0f7b523319d758a40d7c0193699 # Windows 10 2004 x64
- IMPHASH=281d618f4e6271e527e6386ea6f748de # Windows 10 2004 x86
filter:
ImageLoaded|endswith: '\comsvcs.dll'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
title: Time Travel Debugging Utility Usage - Image
id: e76c8240-d68f-4773-8880-5c6f63595aaf
status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
- https://twitter.com/mattifestation/status/1196390321783025666
- https://twitter.com/oulusoyum/status/1191329746069655553
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020-10-06
modified: 2022-12-02
tags:
- attack.credential-access
- attack.stealth
- attack.t1218
- attack.t1003.001
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith:
- '\ttdrecord.dll'
- '\ttdwriter.dll'
- '\ttdloader.dll'
condition: selection
falsepositives:
- Legitimate usage by software developers/testers
level: high
title: Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
id: bdc64095-d59a-42a2-8588-71fd9c9d9abc
related:
- id: 0e277796-5f23-4e49-a490-483131d4f6e1 # Suspicious Loading
type: similar
status: test
description: |
Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.
Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.
As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
references:
- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
author: Perez Diego (@darkquassar), oscd.community, Ecco
date: 2019-10-27
modified: 2022-12-09
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
Signed: 'false'
condition: selection
falsepositives:
- Unknown
level: high
title: Mimikatz Use
id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
status: test
description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
references:
- https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
date: 2017-01-10
modified: 2022-01-05
tags:
- attack.s0002
- attack.lateral-movement
- attack.credential-access
- car.2013-07-001
- car.2019-04-004
- attack.t1003.002
- attack.t1003.004
- attack.t1003.001
- attack.t1003.006
logsource:
product: windows
detection:
keywords:
- 'dpapi::masterkey'
- 'eo.oe.kiwi'
- 'event::clear'
- 'event::drop'
- 'gentilkiwi.com'
- 'kerberos::golden'
- 'kerberos::ptc'
- 'kerberos::ptt'
- 'kerberos::tgt'
- 'Kiwi Legit Printer'
- 'lsadump::'
- 'mimidrv.sys'
- '\mimilib.dll'
- 'misc::printnightmare'
- 'misc::shadowcopies'
- 'misc::skeleton'
- 'privilege::backup'
- 'privilege::debug'
- 'privilege::driver'
- 'sekurlsa::'
filter:
EventID: 15 # Sysmon's FileStream Events (could cause false positives when Sigma rules get copied on/to a system)
condition: keywords and not filter
falsepositives:
- Naughty administrators
- AV Signature updates
- Files with Mimikatz in their filename
level: high
title: LSASS Process Crashed - Application
id: a18e0862-127b-43ca-be12-1a542c75c7c5
status: experimental
description: |
Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service).
This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-07
modified: 2025-12-03
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
service: application
detection:
selection:
Provider_Name: 'Application Error'
EventID: 1000
AppName: 'lsass.exe'
ExceptionCode: 'c0000001' # STATUS_UNSUCCESSFUL
condition: selection
falsepositives:
- Rare legitimate crashing of the lsass process
level: high
title: Password Dumper Activity on LSASS
id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c
status: test
description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
references:
- https://twitter.com/jackcr/status/807385668833968128
author: sigma
date: 2017-02-12
modified: 2022-10-09
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 4656
ProcessName|endswith: '\lsass.exe'
AccessMask: '0x705'
ObjectType: 'SAM_DOMAIN'
condition: selection
falsepositives:
- Unknown
level: high
title: Credential Dumping Tools Service Execution - Security
id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
related:
- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
type: derived
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
- attack.credential-access
- attack.execution
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
- attack.t1569.002
- attack.s0005
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains:
- 'cachedump'
- 'dumpsvc'
- 'fgexec'
- 'gsecdump'
- 'mimidrv'
- 'pwdump'
- 'servpw'
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
level: high
title: LSASS Access Detected via Attack Surface Reduction
id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
status: test
description: Detects Access to LSASS Process
references:
- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction
author: Markus Neis
date: 2018-08-26
modified: 2022-08-13
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
service: windefend
definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
detection:
selection:
EventID: 1121
Path|endswith: '\lsass.exe'
filter_thor:
ProcessName|startswith: 'C:\Windows\Temp\asgard2-agent\'
ProcessName|endswith:
- '\thor64.exe'
- '\thor.exe'
filter_exact:
ProcessName:
- 'C:\Windows\System32\atiesrxx.exe'
- 'C:\Windows\System32\CompatTelRunner.exe'
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\System32\nvwmi64.exe'
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\System32\Taskmgr.exe'
- 'C:\Windows\System32\wbem\WmiPrvSE.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
filter_begins:
ProcessName|startswith:
- 'C:\Windows\System32\DriverStore\'
- 'C:\WINDOWS\Installer\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
condition: selection and not 1 of filter_*
falsepositives:
- Google Chrome GoogleUpdate.exe
- Some Taskmgr.exe related activity
level: high
title: Credential Dumping Tools Service Execution - System
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
- attack.credential-access
- attack.execution
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
- attack.t1569.002
- attack.s0005
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains:
- 'cachedump'
- 'dumpsvc'
- 'fgexec'
- 'gsecdump'
- 'mimidrv'
- 'pwdump'
- 'servpw'
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
level: high
title: Lsass Full Dump Request Via DumpType Registry Settings
id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719
status: test
description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash'
date: 2022-12-08
modified: 2023-08-17
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType'
- '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType'
Details: 'DWORD (0x00000002)' # Full Dump
condition: selection
falsepositives:
- Legitimate application that needs to do a full dump of their process
level: high
title: Possible Impacket SecretDump Remote Activity - Zeek
id: 92dae1ed-1c9d-4eff-a567-33acbd95b00e
status: test
description: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml'
references:
- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
author: 'Samir Bousseaden, @neu5ron'
date: 2020-03-19
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.004
- attack.t1003.003
logsource:
product: zeek
service: smb_files
detection:
selection:
path|contains|all:
- '\'
- 'ADMIN$'
name|contains: 'SYSTEM32\'
name|endswith: '.tmp'
condition: selection
falsepositives:
- Unknown
level: high
title: NTDS.DIT Creation By Uncommon Process
id: 11b1ed55-154d-4e82-8ad7-83739298f720
related:
- id: 4e7050dd-e548-483f-b7d6-527ab4fa784d
type: similar
status: test
description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
references:
- https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/
- https://adsecurity.org/?p=2398
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-11
modified: 2022-07-14
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.003
logsource:
product: windows
category: file_event
detection:
selection_ntds:
TargetFilename|endswith: '\ntds.dit'
selection_process_img:
Image|endswith:
# Add more suspicious processes as you see fit
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- '\wsl.exe'
- '\wt.exe'
selection_process_paths:
Image|contains:
- '\AppData\'
- '\Temp\'
- '\Public\'
- '\PerfLogs\'
condition: selection_ntds and 1 of selection_process_*
falsepositives:
- Unknown
level: high
title: Potential SAM Database Dump
id: 4e87b8e2-2ee9-4b2a-a715-4727d297ece0
status: test
description: Detects the creation of files that look like exports of the local SAM (Security Account Manager)
references:
- https://github.com/search?q=CVE-2021-36934
- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934
- https://www.google.com/search?q=%22reg.exe+save%22+sam
- https://github.com/HuskyHacks/ShadowSteal
- https://github.com/FireFart/hivenightmare
author: Florian Roth (Nextron Systems)
date: 2022-02-11
modified: 2023-01-05
tags:
- attack.credential-access
- attack.t1003.002
logsource:
product: windows
category: file_event
detection:
selection:
- TargetFilename|endswith:
- '\Temp\sam'
- '\sam.sav'
- '\Intel\sam'
- '\sam.hive'
- '\Perflogs\sam'
- '\ProgramData\sam'
- '\Users\Public\sam'
- '\AppData\Local\sam'
- '\AppData\Roaming\sam'
- '_ShadowSteal.zip' # https://github.com/HuskyHacks/ShadowSteal
- '\Documents\SAM.export' # https://github.com/n3tsurge/CVE-2021-36934/
- ':\sam'
- TargetFilename|contains:
- '\hive_sam_' # https://github.com/FireFart/hivenightmare
- '\sam.save'
- '\sam.export'
- '\~reg_sam.save'
- '\sam_backup'
- '\sam.bck'
- '\sam.backup'
condition: selection
falsepositives:
- Rare cases of administrative activity
level: high
title: Dumping of Sensitive Hives Via Reg.EXE
id: fd877b94-9bb5-4191-bb25-d79cbd93c167
related:
- id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e
type: obsolete
- id: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0
type: obsolete
status: test
description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md
- https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets
author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113
date: 2019-10-22
modified: 2023-12-13
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- car.2013-07-001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli_flag:
CommandLine|contains:
- ' save '
- ' export '
- ' ˢave '
- ' eˣport '
selection_cli_hklm:
CommandLine|contains:
- 'hklm'
- 'hk˪m'
- 'hkey_local_machine'
- 'hkey_˪ocal_machine'
- 'hkey_loca˪_machine'
- 'hkey_˪oca˪_machine'
selection_cli_hive:
CommandLine|contains:
- '\system'
- '\sam'
- '\security'
- '\ˢystem'
- '\syˢtem'
- '\ˢyˢtem'
- '\ˢam'
- '\ˢecurity'
condition: all of selection_*
falsepositives:
- Dumping hives for legitimate purpouse i.e. backup or forensic investigation
level: high
title: HackTool - Pypykatz Credentials Dumping Activity
id: a29808fd-ef50-49ff-9c7a-59a9b040b404
status: test
description: Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored
references:
- https://github.com/skelsec/pypykatz
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz
author: frack113
date: 2022-01-05
modified: 2023-02-05
tags:
- attack.credential-access
- attack.t1003.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- \pypykatz.exe
- \python.exe
CommandLine|contains|all:
- 'live'
- 'registry'
condition: selection
falsepositives:
- Unknown
level: high
title: PowerShell SAM Copy
id: 1af57a4b-460a-4738-9034-db68b880c665
status: test
description: Detects suspicious PowerShell scripts accessing SAM hives
references:
- https://twitter.com/splinter_code/status/1420546784250769408
author: Florian Roth (Nextron Systems)
date: 2021-07-29
modified: 2023-01-06
tags:
- attack.credential-access
- attack.t1003.002
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains|all:
- '\HarddiskVolumeShadowCopy'
- 'System32\config\sam'
selection_2:
CommandLine|contains:
- 'Copy-Item'
- 'cp $_.'
- 'cpi $_.'
- 'copy $_.'
- '.File]::Copy('
condition: all of selection*
falsepositives:
- Some rare backup scenarios
- PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs
level: high
title: Sensitive File Dump Via Print.EXE
id: 2fcda7e2-8c57-4904-86ac-37fc3157e09d
status: test
description: |
Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM from the Windows directory in order to extract credentials, locally or remotely.
references:
- https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/
- https://www.huntress.com/blog/credential-theft-expanding-your-reach-pt-2
- https://lolbas-project.github.io/lolbas/Binaries/Print/
author: Ayush Anand (Securityinbits)
date: 2026-04-28
tags:
- attack.credential-access
- attack.stealth
- attack.t1003.003
- attack.t1003.002
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\print.exe'
- OriginalFileName: 'Print.EXE'
selection_cli:
CommandLine|contains|windash: '/D'
CommandLine|contains:
- '\config\SAM'
- '\config\SECURITY'
- '\config\SYSTEM'
- '\windows\ntds\ntds.dit'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_print_dump_sensitive_files/info.yml
title: VolumeShadowCopy Symlink Creation Via Mklink
id: 40b19fa6-d835-400c-b301-41f3a2baacaf
status: stable
description: Shadow Copies storage symbolic link creation using operating systems utilities
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-10-22
modified: 2023-03-06
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'mklink'
- 'HarddiskVolumeShadowCopy'
condition: selection
falsepositives:
- Legitimate administrator working with shadow copies, access for backup purposes
level: high
title: Copying Sensitive Files with Credential Data
id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f
status: test
description: Files with well-known filenames (sensitive files with credential data) copying
references:
- https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml
author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2019-10-22
modified: 2024-06-04
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.003
- car.2013-07-001
- attack.s0404
logsource:
category: process_creation
product: windows
detection:
selection_esent_img:
- Image|endswith: '\esentutl.exe'
- OriginalFileName: '\esentutl.exe'
selection_esent_cli:
CommandLine|contains|windash:
- 'vss'
- ' /m '
- ' /y '
selection_susp_paths:
CommandLine|contains:
- '\config\RegBack\sam'
- '\config\RegBack\security'
- '\config\RegBack\system'
- '\config\sam'
- '\config\security'
- '\config\system ' # space needed to avoid false positives with \config\systemprofile\
- '\repair\sam'
- '\repair\security'
- '\repair\system'
- '\windows\ntds\ntds.dit'
condition: all of selection_esent_* or selection_susp_paths
falsepositives:
- Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator.
level: high
title: HackTool - Quarks PwDump Execution
id: 0685b176-c816-4837-8e7b-1216f346636b
status: test
description: Detects usage of the Quarks PwDump tool via commandline arguments
references:
- https://github.com/quarkslab/quarkspwdump
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-05
modified: 2023-02-05
tags:
- attack.credential-access
- attack.t1003.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\QuarksPwDump.exe'
selection_cli:
CommandLine:
- ' -dhl'
- ' --dump-hash-local'
- ' -dhdc'
- ' --dump-hash-domain-cached'
- ' --dump-bitlocker'
- ' -dhd '
- ' --dump-hash-domain '
- '--ntds-file'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
title: Possible Impacket SecretDump Remote Activity
id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
status: test
description: Detect AD credential dumping using impacket secretdump HKTL
references:
- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
author: Samir Bousseaden, wagga
date: 2019-04-03
modified: 2022-08-11
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.004
- attack.t1003.003
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName: '\\\\\*\\ADMIN$' # looking for the string \\*\ADMIN$
RelativeTargetName|contains|all:
- 'SYSTEM32\'
- '.tmp'
condition: selection
falsepositives:
- Unknown
level: high
title: Critical Hive In Suspicious Location Access Bits Cleared
id: 39f919f3-980b-4e6f-a975-8af7e507ef2b
related:
- id: 839dd1e8-eda8-4834-8145-01beeee33acd
type: obsolete
status: test
description: |
Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.
This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).
Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
references:
- https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md
author: Florian Roth (Nextron Systems)
date: 2017-05-15
modified: 2024-01-18
tags:
- attack.credential-access
- attack.t1003.002
logsource:
product: windows
service: system
detection:
selection:
EventID: 16
Provider_Name: Microsoft-Windows-Kernel-General
HiveName|contains:
- '\Temp\SAM'
- '\Temp\SECURITY'
condition: selection
falsepositives:
- Unknown
level: high
title: Esentutl Volume Shadow Copy Service Keys
id: 5aad0995-46ab-41bd-a9ff-724f41114971
status: test
description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-20
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1003.002
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: 'System\CurrentControlSet\Services\VSS'
Image|endswith: 'esentutl.exe' # limit esentutl as in references, too many FP to filter
filter:
TargetObject|contains: 'System\CurrentControlSet\Services\VSS\Start'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: Suspicious Get-ADDBAccount Usage
id: b140afd9-474b-4072-958e-2ebb435abd68
status: test
description: Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
references:
- https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
- https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md
author: Florian Roth (Nextron Systems)
date: 2022-03-16
tags:
- attack.credential-access
- attack.t1003.003
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
Payload|contains|all:
- 'Get-ADDBAccount'
- 'BootKey '
- 'DatabasePath '
condition: selection
falsepositives:
- Unknown
level: high
title: Create Volume Shadow Copy with Powershell
id: afd12fed-b0ec-45c9-a13d-aa86625dac81
status: test
description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
author: frack113
date: 2022-01-12
tags:
- attack.credential-access
- attack.t1003.003
- attack.ds0005
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- Win32_ShadowCopy
- ').Create('
- ClientAccessible
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: high
title: NTDS.DIT Creation By Uncommon Parent Process
id: 4e7050dd-e548-483f-b7d6-527ab4fa784d
related:
- id: 11b1ed55-154d-4e82-8ad7-83739298f720
type: similar
status: test
description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory
references:
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
- https://pentestlab.blog/tag/ntds-dit/
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1
author: Florian Roth (Nextron Systems)
date: 2022-03-11
modified: 2023-01-05
tags:
- attack.credential-access
- attack.t1003.003
logsource:
product: windows
category: file_event
definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enrich the log with additional ParentImage data'
detection:
selection_file:
TargetFilename|endswith: '\ntds.dit'
selection_process_parent:
# Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
ParentImage|endswith:
- '\cscript.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\w3wp.exe'
- '\wscript.exe'
selection_process_parent_path:
# Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
ParentImage|contains:
- '\apache'
- '\tomcat'
- '\AppData\'
- '\Temp\'
- '\Public\'
- '\PerfLogs\'
condition: selection_file and 1 of selection_process_*
falsepositives:
- Unknown
level: high
title: NTDS Exfiltration Filename Patterns
id: 3a8da4e0-36c1-40d2-8b29-b3e890d5172a
status: test
description: Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
references:
- https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb
- https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1
- https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
author: Florian Roth (Nextron Systems)
date: 2022-03-11
modified: 2023-05-05
tags:
- attack.credential-access
- attack.t1003.003
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\All.cab' # https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1
- '.ntds.cleartext' # https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
condition: selection
falsepositives:
- Unknown
level: high
title: PUA - DIT Snapshot Viewer
id: d3b70aad-097e-409c-9df2-450f80dc476b
status: test
description: Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
references:
- https://thedfirreport.com/2020/06/21/snatch-ransomware/
- https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap
author: Furkan Caliskan (@caliskanfurkan_)
date: 2020-07-04
modified: 2023-02-21
tags:
- attack.credential-access
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\ditsnap.exe'
- CommandLine|contains: 'ditsnap.exe'
condition: selection
falsepositives:
- Legitimate admin usage
level: high
title: Sensitive File Dump Via Wbadmin.EXE
id: 8b93a509-1cb8-42e1-97aa-ee24224cdc15
status: test
description: |
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml
- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2024-05-10
tags:
- attack.credential-access
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wbadmin.exe'
- OriginalFileName: 'WBADMIN.EXE'
selection_backup:
CommandLine|contains:
- 'start'
- 'backup'
selection_path:
CommandLine|contains:
- '\config\SAM'
- '\config\SECURITY'
- '\config\SYSTEM'
- '\Windows\NTDS\NTDS.dit'
condition: all of selection_*
falsepositives:
- Legitimate backup operation by authorized administrators. Matches must be investigated and allowed on a case by case basis.
level: high
title: Sensitive File Recovery From Backup Via Wbadmin.EXE
id: 84972c80-251c-4c3a-9079-4f00aad93938
related:
- id: 6fe4aa1e-0531-4510-8be2-782154b73b48
type: derived
status: test
description: |
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml
- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2024-05-10
tags:
- attack.credential-access
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wbadmin.exe'
- OriginalFileName: 'WBADMIN.EXE'
selection_backup:
CommandLine|contains|all:
- ' recovery'
- 'recoveryTarget'
- 'itemtype:File'
CommandLine|contains:
- '\config\SAM'
- '\config\SECURITY'
- '\config\SYSTEM'
- '\Windows\NTDS\NTDS.dit'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Suspicious Process Patterns NTDS.DIT Exfil
id: 8bc64091-6875-4881-aaf9-7bd25b5dda08
status: test
description: Detects suspicious process patterns used in NTDS.DIT exfiltration
references:
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
- https://pentestlab.blog/tag/ntds-dit/
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1
- https://github.com/zcgonvh/NTDSDumpEx
- https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1
- https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
author: Florian Roth (Nextron Systems)
date: 2022-03-11
modified: 2022-11-10
tags:
- attack.credential-access
- attack.t1003.003
logsource:
product: windows
category: process_creation
detection:
selection_tool:
# https://github.com/zcgonvh/NTDSDumpEx
- Image|endswith:
- '\NTDSDump.exe'
- '\NTDSDumpEx.exe'
- CommandLine|contains|all:
# ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv
- 'ntds.dit'
- 'system.hiv'
- CommandLine|contains: 'NTDSgrab.ps1'
selection_oneliner_1:
# powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
CommandLine|contains|all:
- 'ac i ntds'
- 'create full'
selection_onliner_2:
# cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
CommandLine|contains|all:
- '/c copy '
- '\windows\ntds\ntds.dit'
selection_onliner_3:
# ntdsutil "activate instance ntds" "ifm" "create full c:\windows\temp\data\" "quit" "quit"
CommandLine|contains|all:
- 'activate instance ntds'
- 'create full'
selection_powershell:
CommandLine|contains|all:
- 'powershell'
- 'ntds.dit'
set1_selection_ntds_dit:
CommandLine|contains: 'ntds.dit'
set1_selection_image_folder:
- ParentImage|contains:
- '\apache'
- '\tomcat'
- '\AppData\'
- '\Temp\'
- '\Public\'
- '\PerfLogs\'
- Image|contains:
- '\apache'
- '\tomcat'
- '\AppData\'
- '\Temp\'
- '\Public\'
- '\PerfLogs\'
condition: 1 of selection* or all of set1*
falsepositives:
- Unknown
level: high
title: OpenCanary - SMB File Open Request
id: 22777c9e-873a-4b49-855f-6072ab861a52
status: test
description: Detects instances where an SMB service on an OpenCanary node has had a file open request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.lateral-movement
- attack.collection
- attack.t1021
- attack.t1005
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 5000
condition: selection
falsepositives:
- Unlikely
level: high
title: Script Interpreter Spawning Credential Scanner - Linux
id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
related:
- id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
type: similar
status: experimental
description: |
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
- https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
- https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
- https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.credential-access
- attack.t1552
- attack.execution
- attack.collection
- attack.t1005
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith:
# Add more script interpreters as needed
- '/node'
- '/bun'
selection_child:
- Image|endswith:
- '/trufflehog'
- '/gitleaks'
- CommandLine|contains:
- 'trufflehog'
- 'gitleaks'
condition: all of selection_*
falsepositives:
- Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high
title: VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
id: b57ba453-b384-4ab9-9f40-1038086b4e53
status: test
description: Detects dump of credentials in VeeamBackup dbo
references:
- https://thedfirreport.com/2021/12/13/diavol-ransomware/
- https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html
author: frack113
date: 2021-12-20
modified: 2023-02-13
tags:
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_tools:
Image|endswith: '\sqlcmd.exe'
selection_query:
CommandLine|contains|all:
- 'SELECT'
- 'TOP'
- '[VeeamBackup].[dbo].[Credentials]'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Script Interpreter Spawning Credential Scanner - Windows
id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
related:
- id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
type: similar
status: experimental
description: |
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
- https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
- https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
- https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.credential-access
- attack.t1552
- attack.collection
- attack.execution
- attack.t1005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
# Add more script interpreters as needed
- '\node.exe'
- '\bun.exe'
selection_child:
- Image|endswith:
- 'trufflehog.exe'
- 'gitleaks.exe'
- CommandLine|contains:
- 'trufflehog'
- 'gitleaks'
condition: all of selection_*
falsepositives:
- Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_script_interpretor_spawn_credential_scanner/info.yml
title: SQLite Chromium Profile Data DB Access
id: 24c77512-782b-448a-8950-eddb0785fc71
status: test
description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows
- https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
author: TropChaud
date: 2022-12-19
modified: 2023-01-19
tags:
- attack.credential-access
- attack.t1539
- attack.t1555.003
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_sql:
- Product: SQLite
- Image|endswith:
- '\sqlite.exe'
- '\sqlite3.exe'
selection_chromium:
CommandLine|contains:
- '\User Data\' # Most common folder for user profile data among Chromium browsers
- '\Opera Software\' # Opera
- '\ChromiumViewer\' # Sleipnir (Fenrir)
selection_data:
CommandLine|contains:
- 'Login Data' # Passwords
- 'Cookies'
- 'Web Data' # Credit cards, autofill data
- 'History'
- 'Bookmarks'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: SQLite Firefox Profile Data DB Access
id: 4833155a-4053-4c9c-a997-777fcea0baa7
status: test
description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows
- https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
author: frack113
date: 2022-04-08
modified: 2023-01-19
tags:
- attack.credential-access
- attack.t1539
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_sql:
- Product: SQLite
- Image|endswith:
- '\sqlite.exe'
- '\sqlite3.exe'
selection_firefox:
CommandLine|contains:
- 'cookies.sqlite'
- 'places.sqlite' # Bookmarks, history
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Suspicious Outlook Macro Created
id: 117d3d3a-755c-4a61-b23e-9171146d094c
related:
- id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
type: derived
status: test
description: Detects the creation of a macro file for Outlook.
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
- https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.command-and-control
- attack.t1137
- attack.t1008
- attack.t1546
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
filter:
Image|endswith: '\outlook.exe'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
title: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
id: 396ae3eb-4174-4b9b-880e-dc0364d78a19
status: test
description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
- https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-04-05
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.command-and-control
- attack.t1137
- attack.t1008
- attack.t1546
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Outlook\LoadMacroProviderOnBoot'
Details|contains: '0x00000001'
condition: selection
falsepositives:
- Unknown
level: high