title: Active Directory Replication from Non Machine Account
id: 17d619c1-e020-4347-957e-1d1207455c93
status: test
description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
references:
    - https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html
    - https://threathunterplaybook.com/library/windows/active_directory_replication.html
    - https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-07-26
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1003.006
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4662
        AccessMask: '0x100'
        Properties|contains:
            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
            - '89e95b76-444d-4c62-991a-0facbeda640c'
    filter:
        - SubjectUserName|endswith: '$'
        - SubjectUserName|startswith: 'MSOL_' # https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-accounts-permissions#ad-ds-connector-account
    condition: selection and not filter
falsepositives:
    - Unknown
level: critical

title: Antivirus Password Dumper Detection
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
status: stable
description: |
    Detects a highly relevant Antivirus alert that reports a password dumper.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/?s=antivirus
    - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
    - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
    - attack.credential-access
    - attack.t1003
    - attack.t1558
    - attack.t1003.001
    - attack.t1003.002
logsource:
    category: antivirus
detection:
    selection:
        - Signature|startswith: 'PWS'
        - Signature|contains:
              - 'Certify'
              - 'DCSync'
              - 'DumpCreds'
              - 'DumpLsass'
              - 'DumpPert'
              - 'HTool/WCE'
              - 'Kekeo'
              - 'Lazagne'
              - 'LsassDump'
              - 'Mimikatz'
              - 'MultiDump'
              - 'Nanodump'
              - 'NativeDump'
              - 'Outflank'
              - 'PShlSpy'
              - 'PSWTool'
              - 'PWCrack'
              - 'PWDump'
              - 'PWS.'
              - 'PWSX'
              - 'pypykatz'
              - 'Rubeus'
              - 'SafetyKatz'
              - 'SecurityTool'
              - 'SharpChrome'
              - 'SharpDPAPI'
              - 'SharpDump'
              - 'SharpKatz'
              - 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d
              - 'ShpKatz'
              - 'TrickDump'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: HackTool - Credential Dumping Tools Named Pipe Created
id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
status: test
description: Detects well-known credential dumping tools execution via specific named pipe creation
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2023-08-07
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName|contains:
            - '\cachedump'
            - '\lsadump'
            - '\wceservicepipe'
    condition: selection
falsepositives:
    - Legitimate Administrator using tool for password recovery
level: critical

title: HackTool - Dumpert Process Dumper Default File
id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
related:
    - id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
      type: derived
status: test
description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
references:
    - https://github.com/outflanknl/Dumpert
    - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
author: Florian Roth (Nextron Systems)
date: 2020-02-04
modified: 2023-05-09
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: 'dumpert.dmp'
    condition: selection
falsepositives:
    - Very unlikely
level: critical

title: HackTool - Dumpert Process Dumper Execution
id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
status: test
description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
references:
    - https://github.com/outflanknl/Dumpert
    - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
author: Florian Roth (Nextron Systems)
date: 2020-02-04
modified: 2025-01-22
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Hashes|contains: 'MD5=09D278F9DE118EF09163C6140255C690'
        - CommandLine|contains: 'Dumpert.dll'
    condition: selection
falsepositives:
    - Very unlikely
level: critical

title: HackTool - Inveigh Execution
id: b99a1518-1ad5-4f65-bc95-1ffff97a8fd0
status: test
description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
references:
    - https://github.com/Kevin-Robertson/Inveigh
    - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-24
modified: 2023-02-04
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\Inveigh.exe'
        - OriginalFileName:
              - '\Inveigh.exe'
              - '\Inveigh.dll'
        - Description: 'Inveigh'
        - CommandLine|contains:
              - ' -SpooferIP'
              - ' -ReplyToIPs '
              - ' -ReplyToDomains '
              - ' -ReplyToMACs '
              - ' -SnifferIP'
    condition: selection
falsepositives:
    - Very unlikely
level: critical

title: HackTool - QuarksPwDump Dump File
id: 847def9e-924d-4e90-b7c4-5f581395a2b4
status: test
description: Detects a dump file written by QuarksPwDump password dumper
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
author: Florian Roth (Nextron Systems)
date: 2018-02-10
modified: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1003.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains|all:
            - '\AppData\Local\Temp\SAM-'
            - '.dmp'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: HackTool - Rubeus Execution
id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
related:
    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
      type: similar
status: stable
description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
references:
    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
    - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
    - https://github.com/GhostPack/Rubeus
author: Florian Roth (Nextron Systems)
date: 2018-12-19
modified: 2023-04-20
tags:
    - attack.credential-access
    - attack.t1003
    - attack.t1558.003
    - attack.lateral-movement
    - attack.t1550.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\Rubeus.exe'
        - OriginalFileName: 'Rubeus.exe'
        - Description: 'Rubeus'
        - CommandLine|contains:
              - 'asreproast '
              - 'dump /service:krbtgt '
              - 'dump /luid:0x'
              - 'kerberoast '
              - 'createnetonly /program:'
              - 'ptt /ticket:'
              - '/impersonateuser:'
              - 'renew /ticket:'
              - 'asktgt /user:'
              - 'harvest /interval:'
              - 's4u /user:'
              - 's4u /ticket:'
              - 'hash /password:'
              - 'golden /aes256:'
              - 'silver /user:'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: HackTool - SafetyKatz Execution
id: b1876533-4ed5-4a83-90f3-b8645840a413
status: test
description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name
references:
    - https://github.com/GhostPack/SafetyKatz
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-20
modified: 2023-02-04
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\SafetyKatz.exe'
        - OriginalFileName: 'SafetyKatz.exe'
        - Description: 'SafetyKatz'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: HackTool - Windows Credential Editor (WCE) Execution
id: 7aa7009a-28b9-4344-8c1f-159489a390df
status: test
description: |
    Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
    It is often used by threat actors for credential dumping and lateral movement within compromised networks.
references:
    - https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2025-10-21
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\WCE.exe'
            - '\WCE64.exe'
    selection_hash:
        Hashes|contains:
            - 'IMPHASH=136F0A8572C058A96436C82E541E4C41'
            - 'IMPHASH=589657C64DDE88533186C39F82FA1F50'
            - 'IMPHASH=6BFE09EFCB4FFDE061EBDBAFC4DB84CF'
            - 'IMPHASH=7D490037BF450877E6D0287BDCFF8D2E'
            - 'IMPHASH=8AB93B061287C79F3088C5BC7E7D97ED'
            - 'IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F'
            - 'IMPHASH=BA434A7A729EEC20E136CA4C32D6C740'
            - 'IMPHASH=BD1D1547DA13C0FCB6C15E86217D5EB8'
            - 'IMPHASH=E96A73C7BF33A464C510EDE582318BF2'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: critical

title: Hacktool Execution - Imphash
id: 24e3e58a-646b-4b50-adef-02ef935b9fc8
status: test
description: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-04
modified: 2024-11-23
tags:
    - attack.credential-access
    - attack.resource-development
    - attack.t1588.002
    - attack.t1003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Hashes|contains: # Sysmon field hashes contains all types
            - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
            - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
            - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
            - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
            - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato
            - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG
            - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
            - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
            - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
            - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
            - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
            - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
            - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
            - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
            - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
            - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
            - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
            - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
            - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
            - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
            - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
            - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
            - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
            - IMPHASH=730073214094CD328547BF1F72289752 # Htran
            - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
            - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
            - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
            - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
            - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
            - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
            - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
            - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
            - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
            - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
            - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
            - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
            - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
            - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
            - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
            - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
            - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
            - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
            - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
            - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
            - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
            - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
            - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
            - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
            - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
            - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
            - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
            - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
            - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
            - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
            - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
            - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
            - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
            - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
            - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
            - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
            - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
            - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
            - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
            - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
            - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
            - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
            - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
            - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
            - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
            - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
            - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
            - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
            - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz
            - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller
            - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller
            - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab
            - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab
            - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab
            - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia
            - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast
            - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast
            - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast
            - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast
            - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast
            - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast
            - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast
            - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer
            - IMPHASH=B50199E952C875241B9CE06C971CE3C1 # EventLogCrasher
    condition: selection
falsepositives:
    - Legitimate use of one of these tools
level: critical

title: Potential Credential Dumping Via LSASS Process Clone
id: c8da0dfd-4ed0-4b68-962d-13c9c884384e
status: test
description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
references:
    - https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/
    - https://twitter.com/Hexacorn/status/1420053502554951689
    - https://twitter.com/SBousseaden/status/1464566846594691073?s=20
author: Florian Roth (Nextron Systems), Samir Bousseaden
date: 2021-11-27
modified: 2023-03-02
tags:
    - attack.credential-access
    - attack.t1003
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\Windows\System32\lsass.exe'
        Image|endswith: '\Windows\System32\lsass.exe'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: Potential Credential Dumping Via LSASS SilentProcessExit Technique
id: 55e29995-75e7-451a-bef0-6225e2f13597
related:
    - id: 36803969-5421-41ec-b92f-8500f79c23b0
      type: similar
status: test
description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
references:
    - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
    - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
author: Florian Roth (Nextron Systems)
date: 2021-02-26
modified: 2022-12-19
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: WCE wceaux.dll Access
id: 1de68c67-af5c-4097-9c85-fe5578e09e67
status: test
description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-14
modified: 2025-01-30
tags:
    - attack.credential-access
    - attack.t1003
    - attack.s0005
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4656
            - 4663
        ObjectName|endswith: '\wceaux.dll'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: Windows Credential Editor Registry
id: a6b33c02-8305-488f-8585-03cb2a7763f2
status: test
description: Detects the use of Windows Credential Editor (WCE)
references:
    - https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0005
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: Services\WCESERVICE\Start
    condition: selection
falsepositives:
    - Unknown
level: critical

title: Copying Sensitive Files with Credential Data
id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f
status: test
description: Files with well-known filenames (sensitive files with credential data) copying
references:
    - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
    - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml
author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2019-10-22
modified: 2024-06-04
tags:
    - attack.credential-access
    - attack.t1003.002
    - attack.t1003.003
    - car.2013-07-001
    - attack.s0404
logsource:
    category: process_creation
    product: windows
detection:
    selection_esent_img:
        - Image|endswith: '\esentutl.exe'
        - OriginalFileName: '\esentutl.exe'
    selection_esent_cli:
        CommandLine|contains|windash:
            - 'vss'
            - ' /m '
            - ' /y '
    selection_susp_paths:
        CommandLine|contains:
            - '\config\RegBack\sam'
            - '\config\RegBack\security'
            - '\config\RegBack\system'
            - '\config\sam'
            - '\config\security'
            - '\config\system '        # space needed to avoid false positives with \config\systemprofile\
            - '\repair\sam'
            - '\repair\security'
            - '\repair\system'
            - '\windows\ntds\ntds.dit'
    condition: all of selection_esent_* or selection_susp_paths
falsepositives:
    - Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator.
level: high

title: Create Volume Shadow Copy with Powershell
id: afd12fed-b0ec-45c9-a13d-aa86625dac81
status: test
description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
references:
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
author: frack113
date: 2022-01-12
tags:
    - attack.credential-access
    - attack.t1003.003
    - attack.ds0005
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - Win32_ShadowCopy
            - ').Create('
            - ClientAccessible
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: high

title: CreateDump Process Dump
id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
related:
    - id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e
      type: similar
status: test
description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory
references:
    - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
    - https://twitter.com/bopin2020/status/1366400799199272960
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-04
modified: 2022-08-19
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1003.001
    - attack.credential-access
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\createdump.exe'
        - OriginalFileName: 'FX_VER_INTERNALNAME_STR'
    selection_cli:
        CommandLine|contains:
            - ' -u ' # Short version of '--full'
            - ' --full '
            - ' -f ' # Short version of '--name'
            - ' --name '
            - '.dmp '
    condition: all of selection_*
falsepositives:
    - Command lines that use the same flags
level: high

title: Cred Dump Tools Dropped Files
id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
status: test
description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2025-10-25
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.003
    - attack.t1003.004
    - attack.t1003.005
logsource:
    category: file_event
    product: windows
detection:
    selection:
        - TargetFilename|contains:
              - '\fgdump-log'
              - '\kirbi'
              - '\pwdump'
              - '\pwhashes'
              - '\wce_ccache'
              - '\wce_krbtkts'
        - TargetFilename|endswith:
              - '\cachedump.exe'
              - '\cachedump64.exe'
              - '\DumpExt.dll'
              - '\DumpSvc.exe'
              - '\Dumpy.exe'
              - '\fgexec.exe'
              - '\lsremora.dll'
              - '\lsremora64.dll'
              - '\NTDS.out'
              - '\procdump.exe'
              - '\procdump64.exe'
              - '\procdump64a.exe'
              - '\pstgdump.exe'
              - '\pwdump.exe'
              - '\SAM.out'
              - '\SECURITY.out'
              - '\servpw.exe'
              - '\servpw64.exe'
              - '\SYSTEM.out'
              - '\test.pwd'
              - '\wceaux.dll'
    condition: selection
falsepositives:
    - Legitimate Administrator using tool for password recovery
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml

title: Credential Dumping Activity By Python Based Tool
id: f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9
related:
    - id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
      type: obsolete
    - id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
      type: obsolete
status: stable
description: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
references:
    - https://twitter.com/bh4b3sh/status/1303674603819081728
    - https://github.com/skelsec/pypykatz
author: Bhabesh Raj, Jonhnathan Ribeiro
date: 2023-11-27
modified: 2023-11-29
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0349
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        CallTrace|contains|all:
            - '_ctypes.pyd+'
            - ':\Windows\System32\KERNELBASE.dll+'
            - ':\Windows\SYSTEM32\ntdll.dll+'
        CallTrace|contains:
            - 'python27.dll+'
            - 'python3*.dll+'
        GrantedAccess: '0x1FFFFF'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Credential Dumping Attempt Via WerFault
id: e5b33f7d-eb93-48b6-9851-09e1e610b6d7
status: test
description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
references:
    - https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507
author: Florian Roth (Nextron Systems)
date: 2012-06-27
modified: 2023-11-29
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0002
logsource:
    category: process_access
    product: windows
detection:
    selection:
        SourceImage|endswith: '\WerFault.exe'
        TargetImage|endswith: '\lsass.exe'
        GrantedAccess: '0x1FFFFF'
    condition: selection
falsepositives:
    - Actual failures in lsass.exe that trigger a crash dump (unlikely)
    - Unknown cases in which WerFault accesses lsass.exe
level: high

title: Credential Dumping Tools Service Execution - Security
id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
related:
    - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
      type: derived
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
    - attack.credential-access
    - attack.execution
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
    - attack.t1003.006
    - attack.t1569.002
    - attack.s0005
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains:
            - 'cachedump'
            - 'dumpsvc'
            - 'fgexec'
            - 'gsecdump'
            - 'mimidrv'
            - 'pwdump'
            - 'servpw'
    condition: selection
falsepositives:
    - Legitimate Administrator using credential dumping tool for password recovery
level: high

title: Credential Dumping Tools Service Execution - System
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
    - attack.credential-access
    - attack.execution
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
    - attack.t1003.006
    - attack.t1569.002
    - attack.s0005
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains:
            - 'cachedump'
            - 'dumpsvc'
            - 'fgexec'
            - 'gsecdump'
            - 'mimidrv'
            - 'pwdump'
            - 'servpw'
    condition: selection
falsepositives:
    - Legitimate Administrator using credential dumping tool for password recovery
level: high

title: Critical Hive In Suspicious Location Access Bits Cleared
id: 39f919f3-980b-4e6f-a975-8af7e507ef2b
related:
    - id: 839dd1e8-eda8-4834-8145-01beeee33acd
      type: obsolete
status: test
description: |
    Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.
    This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).
    Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
references:
    - https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md
author: Florian Roth (Nextron Systems)
date: 2017-05-15
modified: 2024-01-18
tags:
    - attack.credential-access
    - attack.t1003.002
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 16
        Provider_Name: Microsoft-Windows-Kernel-General
        HiveName|contains:
            - '\Temp\SAM'
            - '\Temp\SECURITY'
    condition: selection
falsepositives:
    - Unknown
level: high

title: DPAPI Domain Backup Key Extraction
id: 4ac1f50b-3bd0-4968-902d-868b4647937e
status: test
description: Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
references:
    - https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-06-20
modified: 2022-02-24
tags:
    - attack.credential-access
    - attack.t1003.004
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4662
        ObjectType: 'SecretObject'
        AccessMask: '0x2'
        ObjectName|contains: 'BCKUPKEY'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Dumping of Sensitive Hives Via Reg.EXE
id: fd877b94-9bb5-4191-bb25-d79cbd93c167
related:
    - id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e
      type: obsolete
    - id: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0
      type: obsolete
status: test
description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md
    - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets
author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113
date: 2019-10-22
modified: 2023-12-13
tags:
    - attack.credential-access
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
    - car.2013-07-001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_cli_flag:
        CommandLine|contains:
            - ' save '
            - ' export '
            - ' ˢave '
            - ' eˣport '
    selection_cli_hklm:
        CommandLine|contains:
            - 'hklm'
            - 'hk˪m'
            - 'hkey_local_machine'
            - 'hkey_˪ocal_machine'
            - 'hkey_loca˪_machine'
            - 'hkey_˪oca˪_machine'
    selection_cli_hive:
        CommandLine|contains:
            - '\system'
            - '\sam'
            - '\security'
            - '\ˢystem'
            - '\syˢtem'
            - '\ˢyˢtem'
            - '\ˢam'
            - '\ˢecurity'
    condition: all of selection_*
falsepositives:
    - Dumping hives for legitimate purpouse i.e. backup or forensic investigation
level: high

title: Esentutl Volume Shadow Copy Service Keys
id: 5aad0995-46ab-41bd-a9ff-724f41114971
status: test
description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-20
modified: 2022-12-25
tags:
    - attack.credential-access
    - attack.t1003.002
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: 'System\CurrentControlSet\Services\VSS'
        Image|endswith: 'esentutl.exe' # limit esentutl as in references, too many FP to filter
    filter:
        TargetObject|contains: 'System\CurrentControlSet\Services\VSS\Start'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: HackTool - CrackMapExec File Indicators
id: 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a
related:
    - id: 9433ff9c-5d3f-4269-99f8-95fc826ea489
      type: obsolete
status: test
description: Detects file creation events with filename patterns used by CrackMapExec.
references:
    - https://github.com/byt3bl33d3r/CrackMapExec/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-11
modified: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    category: file_event
detection:
    selection_path:
        TargetFilename|startswith: 'C:\Windows\Temp\' # The disk extension is hardcoded in the tool.
    selection_names_str:
        TargetFilename|endswith:
            - '\temp.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/keepass_trigger.py#L42C41-L42C68
            - '\msol.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/msol.py#L48C98-L48C106
    selection_names_re:
        - TargetFilename|re: '\\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\.txt$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/wmi/wmiexec.py#L86
        - TargetFilename|re: '\\[a-zA-Z]{8}\.tmp$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/smb/atexec.py#L145C19-L146
    condition: selection_path and 1 of selection_names_*
falsepositives:
    - Unknown
level: high

title: HackTool - CrackMapExec Process Patterns
id: f26307d8-14cd-47e3-a26b-4b4769f24af6
status: test
description: Detects suspicious process patterns found in logs when CrackMapExec is used
references:
    - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
author: Florian Roth (Nextron Systems)
date: 2022-03-12
modified: 2023-02-13
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_lsass_dump1:
        CommandLine|contains|all:
            - 'tasklist /fi '
            - 'Imagename eq lsass.exe'
        CommandLine|contains:
            - 'cmd.exe /c '
            - 'cmd.exe /r '
            - 'cmd.exe /k '
            - 'cmd /c '
            - 'cmd /r '
            - 'cmd /k '
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    selection_lsass_dump2:
        CommandLine|contains|all:
            - 'do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump'
            - '\Windows\Temp\'
            - ' full'
            - '%%B'
    selection_procdump:
        CommandLine|contains|all:
            - 'tasklist /v /fo csv'
            - 'findstr /i "lsass"'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high

title: HackTool - CreateMiniDump Execution
id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
status: test
description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
references:
    - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
author: Florian Roth (Nextron Systems)
date: 2019-12-22
modified: 2024-11-23
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\CreateMiniDump.exe'
        - Hashes|contains: 'IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - Doppelanger LSASS Dumper Execution
id: d474c8fe-bb69-4ea0-b7d9-f682b56d52d3
status: experimental
description: Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
references:
    - https://labs.yarix.com/2025/06/doppelganger-an-advanced-lsass-dumper-with-process-cloning/
    - https://github.com/vari-sh/RedTeamGrimoire/tree/668e0357072546065729ad623f8c02f7be21bb08/Doppelganger
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-01
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\Doppelganger.exe'
        - Hashes|contains:
              - 'IMPHASH=AB94D5217896ADCD765A06B2D52F0AEB'
              - 'IMPHASH=65F0EA61156EE0C2A35421926F0C7F78'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - Generic Process Access
id: d0d2f720-d14f-448d-8242-51ff396a334e
status: test
description: Detects process access requests from hacktool processes based on their default image name
references:
    - https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158
    - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023-11-27
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0002
logsource:
    category: process_access
    product: windows
detection:
    selection:
        - SourceImage|endswith:
              - '\Akagi.exe'
              - '\Akagi64.exe'
              - '\atexec_windows.exe'
              - '\Certify.exe'
              - '\Certipy.exe'
              - '\CoercedPotato.exe'
              - '\crackmapexec.exe'
              - '\CreateMiniDump.exe'
              - '\dcomexec_windows.exe'
              - '\dpapi_windows.exe'
              - '\findDelegation_windows.exe'
              - '\GetADUsers_windows.exe'
              - '\GetNPUsers_windows.exe'
              - '\getPac_windows.exe'
              - '\getST_windows.exe'
              - '\getTGT_windows.exe'
              - '\GetUserSPNs_windows.exe'
              - '\gmer.exe'
              - '\hashcat.exe'
              - '\htran.exe'
              - '\ifmap_windows.exe'
              - '\impersonate.exe'
              - '\Inveigh.exe'
              - '\LocalPotato.exe'
              - '\mimikatz_windows.exe'
              - '\mimikatz.exe'
              - '\netview_windows.exe'
              - '\nmapAnswerMachine_windows.exe'
              - '\opdump_windows.exe'
              - '\PasswordDump.exe'
              - '\Potato.exe'
              - '\PowerTool.exe'
              - '\PowerTool64.exe'
              - '\psexec_windows.exe'
              - '\PurpleSharp.exe'
              - '\pypykatz.exe'
              - '\QuarksPwDump.exe'
              - '\rdp_check_windows.exe'
              - '\Rubeus.exe'
              - '\SafetyKatz.exe'
              - '\sambaPipe_windows.exe'
              - '\SelectMyParent.exe'
              - '\SharpChisel.exe'
              - '\SharPersist.exe'
              - '\SharpEvtMute.exe'
              - '\SharpImpersonation.exe'
              - '\SharpLDAPmonitor.exe'
              - '\SharpLdapWhoami.exe'
              - '\SharpUp.exe'
              - '\SharpView.exe'
              - '\smbclient_windows.exe'
              - '\smbserver_windows.exe'
              - '\sniff_windows.exe'
              - '\sniffer_windows.exe'
              - '\split_windows.exe'
              - '\SpoolSample.exe'
              - '\Stracciatella.exe'
              - '\SysmonEOP.exe'
              - '\temp\rot.exe'
              - '\ticketer_windows.exe'
              - '\TruffleSnout.exe'
              - '\winPEASany_ofs.exe'
              - '\winPEASany.exe'
              - '\winPEASx64_ofs.exe'
              - '\winPEASx64.exe'
              - '\winPEASx86_ofs.exe'
              - '\winPEASx86.exe'
              - '\xordump.exe'
        - SourceImage|contains:
              - '\goldenPac'
              - '\just_dce_'
              - '\karmaSMB'
              - '\kintercept'
              - '\LocalPotato'
              - '\ntlmrelayx'
              - '\rpcdump'
              - '\samrdump'
              - '\secretsdump'
              - '\smbexec'
              - '\smbrelayx'
              - '\wmiexec'
              - '\wmipersist'
              - 'HotPotato'
              - 'Juicy Potato'
              - 'JuicyPotato'
              - 'PetitPotam'
              - 'RottenPotato'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: HackTool - HandleKatz Duplicating LSASS Handle
id: b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5
status: test
description: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
references:
    - https://github.com/codewhitesec/HandleKatz
author: Bhabesh Raj (rule), @thefLinkk
date: 2022-06-27
modified: 2023-11-28
tags:
    - attack.execution
    - attack.t1106
    - attack.t1003.001
    - attack.credential-access
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe' # Theoretically, can be any benign process holding handle to LSASS
        GrantedAccess: '0x1440' # Only PROCESS_DUP_HANDLE, PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_QUERY_INFORMATION
        # Example: C:\Windows\SYSTEM32\ntdll.dll+9d234\|UNKNOWN(00000000001C119B)
        CallTrace|startswith: 'C:\Windows\System32\ntdll.dll+'
        CallTrace|contains: '|UNKNOWN('
        CallTrace|endswith: ')'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - HandleKatz LSASS Dumper Execution
id: ca621ba5-54ab-4035-9942-d378e6fcde3c
status: test
description: Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
references:
    - https://github.com/codewhitesec/HandleKatz
author: Florian Roth (Nextron Systems)
date: 2022-08-18
modified: 2024-11-23
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_loader_img:
        Image|endswith: '\loader.exe'
        CommandLine|contains: '--pid:'
    selection_loader_imphash:
        Hashes|contains:
            - 'IMPHASH=38D9E015591BBFD4929E0D0F47FA0055'
            - 'IMPHASH=0E2216679CA6E1094D63322E3412D650'
    selection_flags:
        CommandLine|contains|all:
            - '--pid:'
            - '--outfile:'
        CommandLine|contains:
            - '.dmp'
            - 'lsass'
            - '.obf'
            - 'dump'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: HackTool - Impacket File Indicators
id: 03f4ca17-de95-428d-a75a-4ee78b047256
related:
    - id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
      type: similar
status: experimental
description: Detects file creation events with filename patterns used by Impacket.
references:
    - https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/
    - https://github.com/fortra/impacket
author: "The DFIR Report, IrishDeath"
date: 2025-05-19
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    category: file_event
detection:
    selection_names_re:
        TargetFilename|re: '\\sessionresume_[a-zA-Z]{8}$' # https://github.com/fortra/impacket/blob/ead516a1209742efc7ac550707a9304ba08681e9/impacket/examples/secretsdump.py#L1925C38-L1925C51
    condition: selection_names_re
falsepositives:
    - Unknown
level: high

title: HackTool - Mimikatz Execution
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
status: test
description: Detection well-known mimikatz command line arguments
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://tools.thehacker.recipes/mimikatz/modules
author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton
date: 2019-10-22
modified: 2023-02-21
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
    - attack.t1003.006
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools_name:
        CommandLine|contains:
            - 'DumpCreds'
            - 'mimikatz'
    selection_function_names: # To cover functions from modules that are not in module_names
        CommandLine|contains:
            - '::aadcookie' # misc module
            - '::detours' # misc module
            - '::memssp' # misc module
            - '::mflt' # misc module
            - '::ncroutemon' # misc module
            - '::ngcsign' # misc module
            - '::printnightmare' # misc module
            - '::skeleton' # misc module
            - '::preshutdown'  # service module
            - '::mstsc'  # ts module
            - '::multirdp'  # ts module
    selection_module_names:
        CommandLine|contains:
            - 'rpc::'
            - 'token::'
            - 'crypto::'
            - 'dpapi::'
            - 'sekurlsa::'
            - 'kerberos::'
            - 'lsadump::'
            - 'privilege::'
            - 'process::'
            - 'vault::'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
status: test
description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
references:
    - https://github.com/Porchetta-Industries/CrackMapExec
    - https://github.com/fortra/impacket/blob/ff8c200fd040b04d3b5ff05449646737f836235d/examples/secretsdump.py
author: SecurityAura
date: 2022-11-16
modified: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\svchost.exe'
        # CommandLine|contains: 'RemoteRegistry' # Uncomment this line if you collect CommandLine data for files events from more accuracy
        TargetFilename|re: '\\Windows\\System32\\[a-zA-Z0-9]{8}\.tmp$'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - Pypykatz Credentials Dumping Activity
id: a29808fd-ef50-49ff-9c7a-59a9b040b404
status: test
description: Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored
references:
    - https://github.com/skelsec/pypykatz
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz
author: frack113
date: 2022-01-05
modified: 2023-02-05
tags:
    - attack.credential-access
    - attack.t1003.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - \pypykatz.exe
            - \python.exe
        CommandLine|contains|all:
            - 'live'
            - 'registry'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - Quarks PwDump Execution
id: 0685b176-c816-4837-8e7b-1216f346636b
status: test
description: Detects usage of the Quarks PwDump tool via commandline arguments
references:
    - https://github.com/quarkslab/quarkspwdump
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-05
modified: 2023-02-05
tags:
    - attack.credential-access
    - attack.t1003.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\QuarksPwDump.exe'
    selection_cli:
        CommandLine:
            - ' -dhl'
            - ' --dump-hash-local'
            - ' -dhdc'
            - ' --dump-hash-domain-cached'
            - ' --dump-bitlocker'
            - ' -dhd '
            - ' --dump-hash-domain '
            - '--ntds-file'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: HackTool - Rubeus Execution - ScriptBlock
id: 3245cd30-e015-40ff-a31d-5cadd5f377ec
related:
    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
      type: similar
status: test
description: Detects the execution of the hacktool Rubeus using specific command line flags
references:
    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
    - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
    - https://github.com/GhostPack/Rubeus
author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
date: 2023-04-27
tags:
    - attack.credential-access
    - attack.t1003
    - attack.t1558.003
    - attack.lateral-movement
    - attack.t1550.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'asreproast '
            - 'dump /service:krbtgt '
            - 'dump /luid:0x'
            - 'kerberoast '
            - 'createnetonly /program:'
            - 'ptt /ticket:'
            - '/impersonateuser:'
            - 'renew /ticket:'
            - 'asktgt /user:'
            - 'harvest /interval:'
            - 's4u /user:'
            - 's4u /ticket:'
            - 'hash /password:'
            - 'golden /aes256:'
            - 'silver /user:'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: HackTool - SafetyKatz Dump Indicator
id: e074832a-eada-4fd7-94a1-10642b130e16
status: test
description: Detects default lsass dump filename generated by SafetyKatz.
references:
    - https://github.com/GhostPack/SafetyKatz
    - https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63
author: Markus Neis
date: 2018-07-24
modified: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\Temp\debug.bin'
    condition: selection
falsepositives:
    - Rare legitimate files with similar filename structure
level: high

title: HackTool - WSASS Execution
id: 589ac73f-8e12-409c-964e-31a2f5775ae2
status: experimental
description: |
    Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's
    (Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
references:
    - https://github.com/TwoSevenOneT/WSASS
    - https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-23
modified: 2026-01-09
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\wsass.exe'
    selection_hash:
        Hashes|contains: 'IMPHASH=32F5095C9BBDCACF28FD4060EB4DFC42'
    selection_cli:
        # change to |re|i after Sigma v2.0 release
        # plain string without quotation marks as it has to match for both ' and "
        CommandLine|re: (?i)\.exe[\"\']?\s+[^\"]{0,64}werfaultsecure\.exe[\"\']?\s+\d{2,10} # wsass.exe "path to werfaultsecure" lsass_pid
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/info.yml

title: HackTool - XORDump Execution
id: 66e563f9-1cbd-4a22-a957-d8b7c0f44372
status: test
description: Detects suspicious use of XORDump process memory dumping utility
references:
    - https://github.com/audibleblink/xordump
author: Florian Roth (Nextron Systems)
date: 2022-01-28
modified: 2023-02-08
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1003.001
    - attack.credential-access
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\xordump.exe'
        - CommandLine|contains:
              - ' -process lsass.exe '
              - ' -m comsvcs '
              - ' -m dbghelp '
              - ' -m dbgcore '
    condition: selection
falsepositives:
    - Another tool that uses the command line switches of XORdump
level: high

title: Hacktool Execution - PE Metadata
id: 37c1333a-a0db-48be-b64b-7393b2386e3b
status: test
description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
references:
    - https://github.com/cube0x0
    - https://www.virustotal.com/gui/search/metadata%253ACube0x0/files
author: Florian Roth (Nextron Systems)
date: 2022-04-27
modified: 2024-01-15
tags:
    - attack.credential-access
    - attack.resource-development
    - attack.t1588.002
    - attack.t1003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Company: 'Cube0x0' # Detects the use of tools created by a well-known hacktool producer named "Cube0x0", which includes his handle in all binaries as company information in the PE headers (SharpPrintNightmare, KrbRelay, SharpMapExec, etc.)
    condition: selection
falsepositives:
    - Unlikely
level: high

title: LSASS Access Detected via Attack Surface Reduction
id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
status: test
description: Detects Access to LSASS Process
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction
author: Markus Neis
date: 2018-08-26
modified: 2022-08-13
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    service: windefend
    definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
detection:
    selection:
        EventID: 1121
        Path|endswith: '\lsass.exe'
    filter_thor:
        ProcessName|startswith: 'C:\Windows\Temp\asgard2-agent\'
        ProcessName|endswith:
            - '\thor64.exe'
            - '\thor.exe'
    filter_exact:
        ProcessName:
            - 'C:\Windows\System32\atiesrxx.exe'
            - 'C:\Windows\System32\CompatTelRunner.exe'
            - 'C:\Windows\System32\msiexec.exe'
            - 'C:\Windows\System32\nvwmi64.exe'
            - 'C:\Windows\System32\svchost.exe'
            - 'C:\Windows\System32\Taskmgr.exe'
            - 'C:\Windows\System32\wbem\WmiPrvSE.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
    filter_begins:
        ProcessName|startswith:
            - 'C:\Windows\System32\DriverStore\'
            - 'C:\WINDOWS\Installer\'
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    condition: selection and not 1 of filter_*
falsepositives:
    - Google Chrome GoogleUpdate.exe
    - Some Taskmgr.exe related activity
level: high

title: LSASS Access From Potentially White-Listed Processes
id: 4be8b654-0c01-4c9d-a10c-6b28467fc651
status: test
description: |
    Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
references:
    - https://twitter.com/_xpn_/status/1491557187168178176
    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
    - https://twitter.com/mrd0x/status/1460597833917251595
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2023-11-29
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0002
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        SourceImage|endswith:
            - '\TrolleyExpress.exe'  # Citrix
            - '\ProcessDump.exe'     # Cisco Jabber
            - '\dump64.exe'          # Visual Studio
        GrantedAccess|endswith:
            - '10'
            - '30'
            - '50'
            - '70'
            - '90'
            - 'B0'
            - 'D0'
            - 'F0'
            - '18'
            - '38'
            - '58'
            - '78'
            - '98'
            - 'B8'
            - 'D8'
            - 'F8'
            - '1A'
            - '3A'
            - '5A'
            - '7A'
            - '9A'
            - 'BA'
            - 'DA'
            - 'FA'
            - '0x14C2'  # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
            - 'FF'
    condition: selection
falsepositives:
    - Unknown
level: high

title: LSASS Dump Keyword In CommandLine
id: ffa6861c-4461-4f59-8a41-578c39f3f23e
related:
    - id: a5a2d357-1ab8-4675-a967-ef9990a59391
      type: derived
status: test
description: |
    Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
references:
    - https://github.com/Hackndo/lsassy
    - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
    - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
    - https://github.com/helpsystems/nanodump
    - https://github.com/CCob/MirrorDump
author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-24
modified: 2023-08-29
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|contains:
              - 'lsass.dmp'
              - 'lsass.zip'
              - 'lsass.rar'
              - 'Andrew.dmp'
              - 'Coredump.dmp'
              - 'NotLSASS.zip'  # https://github.com/CCob/MirrorDump
              - 'lsass_2'  # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
              - 'lsassdump'
              - 'lsassdmp'
        - CommandLine|contains|all:
              - 'lsass'
              - '.dmp'
        - CommandLine|contains|all:
              - 'SQLDmpr'
              - '.mdmp'
        - CommandLine|contains|all:
              - 'nanodump'
              - '.dmp'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: LSASS Memory Access by Tool With Dump Keyword In Name
id: 9bd012ee-0dff-44d7-84a0-aa698cfd87a3
status: test
description: Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
references:
    - https://twitter.com/_xpn_/status/1491557187168178176
    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2023-11-29
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0002
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        SourceImage|contains: 'dump'
        GrantedAccess|endswith:
            - '10'
            - '30'
            - '50'
            - '70'
            - '90'
            - 'B0'
            - 'D0'
            - 'F0'
            - '18'
            - '38'
            - '58'
            - '78'
            - '98'
            - 'B8'
            - 'D8'
            - 'F8'
            - '1A'
            - '3A'
            - '5A'
            - '7A'
            - '9A'
            - 'BA'
            - 'DA'
            - 'FA'
            - '0x14C2'  # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
            - 'FF'
    condition: selection
falsepositives:
    - Rare programs that contain the word dump in their name and access lsass
level: high

title: LSASS Process Crashed - Application
id: a18e0862-127b-43ca-be12-1a542c75c7c5
status: experimental
description: |
    Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service).
    This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
references:
    - https://github.com/deepinstinct/Lsass-Shtinkering
    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-07
modified: 2025-12-03
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    service: application
detection:
    selection:
        Provider_Name: 'Application Error'
        EventID: 1000
        AppName: 'lsass.exe'
        ExceptionCode: 'c0000001' # STATUS_UNSUCCESSFUL
    condition: selection
falsepositives:
    - Rare legitimate crashing of the lsass process
level: high

title: LSASS Process Dump Artefact In CrashDumps Folder
id: 6902955a-01b7-432c-b32a-6f5f81d8f625
status: test
description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
references:
    - https://github.com/deepinstinct/Lsass-Shtinkering
    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash'
date: 2022-12-08
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\'
        TargetFilename|contains: 'lsass.exe.'
        TargetFilename|endswith: '.dmp'
    condition: selection
falsepositives:
    - Rare legitimate dump of the process by the operating system due to a crash of lsass
level: high