Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
HackTool - Credential Dumping Tools Named Pipe Created
Detects well-known credential dumping tools execution via specific named pipe creation
status testauthor Teymur Kheirkhabarov, oscd.communityid 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
view Sigma YAML
title: HackTool - Credential Dumping Tools Named Pipe Created
id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
status: test
description: Detects well-known credential dumping tools execution via specific named pipe creation
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2023-08-07
tags:
- attack.credential-access
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|contains:
- '\cachedump'
- '\lsadump'
- '\wceservicepipe'
condition: selection
falsepositives:
- Legitimate Administrator using tool for password recovery
level: critical
high
Cred Dump Tools Dropped Files
Files with well-known filenames (parts of credential dump software or files produced by them) creation
status testauthor Teymur Kheirkhabarov, oscd.communityid 8fbf3271-1ef6-4e94-8210-03c2317947f6
Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
status testauthor Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113id fd877b94-9bb5-4191-bb25-d79cbd93c167
view Sigma YAML
title: Dumping of Sensitive Hives Via Reg.EXE
id: fd877b94-9bb5-4191-bb25-d79cbd93c167
related:
- id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e
type: obsolete
- id: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0
type: obsolete
status: test
description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md
- https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets
author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113
date: 2019-10-22
modified: 2023-12-13
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- car.2013-07-001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli_flag:
CommandLine|contains:
- ' save '
- ' export '
- ' ˢave '
- ' eˣport '
selection_cli_hklm:
CommandLine|contains:
- 'hklm'
- 'hk˪m'
- 'hkey_local_machine'
- 'hkey_˪ocal_machine'
- 'hkey_loca˪_machine'
- 'hkey_˪oca˪_machine'
selection_cli_hive:
CommandLine|contains:
- '\system'
- '\sam'
- '\security'
- '\ˢystem'
- '\syˢtem'
- '\ˢyˢtem'
- '\ˢam'
- '\ˢecurity'
condition: all of selection_*
falsepositives:
- Dumping hives for legitimate purpouse i.e. backup or forensic investigation
level: high
high
HackTool - Mimikatz Execution
Detection well-known mimikatz command line arguments
status testauthor Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Sheltonid a642964e-bead-4bed-8910-1bb4d63e3b4d
view Sigma YAML
title: HackTool - Mimikatz Execution
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
status: test
description: Detection well-known mimikatz command line arguments
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://tools.thehacker.recipes/mimikatz/modules
author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton
date: 2019-10-22
modified: 2023-02-21
tags:
- attack.credential-access
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
logsource:
category: process_creation
product: windows
detection:
selection_tools_name:
CommandLine|contains:
- 'DumpCreds'
- 'mimikatz'
selection_function_names: # To cover functions from modules that are not in module_names
CommandLine|contains:
- '::aadcookie' # misc module
- '::detours' # misc module
- '::memssp' # misc module
- '::mflt' # misc module
- '::ncroutemon' # misc module
- '::ngcsign' # misc module
- '::printnightmare' # misc module
- '::skeleton' # misc module
- '::preshutdown' # service module
- '::mstsc' # ts module
- '::multirdp' # ts module
selection_module_names:
CommandLine|contains:
- 'rpc::'
- 'token::'
- 'crypto::'
- 'dpapi::'
- 'sekurlsa::'
- 'kerberos::'
- 'lsadump::'
- 'privilege::'
- 'process::'
- 'vault::'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
high
Mimikatz Use
This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
status testauthor Florian Roth (Nextron Systems), David ANDRE (additional keywords)id 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
view Sigma YAML
title: Mimikatz Use
id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
status: test
description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
references:
- https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
date: 2017-01-10
modified: 2022-01-05
tags:
- attack.s0002
- attack.lateral-movement
- attack.credential-access
- car.2013-07-001
- car.2019-04-004
- attack.t1003.002
- attack.t1003.004
- attack.t1003.001
- attack.t1003.006
logsource:
product: windows
detection:
keywords:
- 'dpapi::masterkey'
- 'eo.oe.kiwi'
- 'event::clear'
- 'event::drop'
- 'gentilkiwi.com'
- 'kerberos::golden'
- 'kerberos::ptc'
- 'kerberos::ptt'
- 'kerberos::tgt'
- 'Kiwi Legit Printer'
- 'lsadump::'
- 'mimidrv.sys'
- '\mimilib.dll'
- 'misc::printnightmare'
- 'misc::shadowcopies'
- 'misc::skeleton'
- 'privilege::backup'
- 'privilege::debug'
- 'privilege::driver'
- 'sekurlsa::'
filter:
EventID: 15 # Sysmon's FileStream Events (could cause false positives when Sigma rules get copied on/to a system)
condition: keywords and not filter
falsepositives:
- Naughty administrators
- AV Signature updates
- Files with Mimikatz in their filename
level: high
high
PUA - Memory Dump Mount Via MemProcFS
Detects execution of MemProcFS a memory forensics tool with the '-device' parameter.
MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures.
Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials.
MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id 8a1b2c3d-4e5f-6789-abcd-ef1234567890
view Sigma YAML
title: PUA - Memory Dump Mount Via MemProcFS
id: 8a1b2c3d-4e5f-6789-abcd-ef1234567890
status: experimental
description: |
Detects execution of MemProcFS a memory forensics tool with the '-device' parameter.
MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures.
Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials.
MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.
references:
- https://github.com/ufrisk/MemProcFS
- https://0xdf.gitlab.io/2024/10/05/htb-freelancer.html#
- https://www.huntress.com/blog/curling-for-data-a-dive-into-a-threat-actors-malicious-ttps
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-27
tags:
- attack.credential-access
- attack.t1003
- attack.t1003.001
- attack.t1003.004
- attack.t1003.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\MemProcFS.exe'
- OriginalFileName: 'MemProcFS.exe'
- Description: 'MemProcFS'
selection_cli:
CommandLine|contains: '-device'
condition: all of selection_*
falsepositives:
- Legitimate use during memory forensics; if not part of authorized analysis, warrants urgent investigation
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/info.yml
high
Possible Impacket SecretDump Remote Activity
Detect AD credential dumping using impacket secretdump HKTL
status testauthor Samir Bousseaden, waggaid 252902e3-5830-4cf6-bf21-c22083dfd5cf
view Sigma YAML
title: Possible Impacket SecretDump Remote Activity
id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
status: test
description: Detect AD credential dumping using impacket secretdump HKTL
references:
- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
author: Samir Bousseaden, wagga
date: 2019-04-03
modified: 2022-08-11
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.004
- attack.t1003.003
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName: '\\\\\*\\ADMIN$' # looking for the string \\*\ADMIN$
RelativeTargetName|contains|all:
- 'SYSTEM32\'
- '.tmp'
condition: selection
falsepositives:
- Unknown
level: high
high
Possible Impacket SecretDump Remote Activity - Zeek
Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml
status testauthor Samir Bousseaden, @neu5ronid 92dae1ed-1c9d-4eff-a567-33acbd95b00e
view Sigma YAML
title: Possible Impacket SecretDump Remote Activity - Zeek
id: 92dae1ed-1c9d-4eff-a567-33acbd95b00e
status: test
description: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml'
references:
- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
author: 'Samir Bousseaden, @neu5ron'
date: 2020-03-19
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.004
- attack.t1003.003
logsource:
product: zeek
service: smb_files
detection:
selection:
path|contains|all:
- '\'
- 'ADMIN$'
name|contains: 'SYSTEM32\'
name|endswith: '.tmp'
condition: selection
falsepositives:
- Unknown
level: high
medium
DPAPI Domain Master Key Backup Attempt
Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
status testauthor Roberto Rodriguez @Cyb3rWard0gid 39a94fd1-8c9a-4ff6-bf22-c058762f8014
view Sigma YAML
title: DPAPI Domain Master Key Backup Attempt
id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014
status: test
description: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
references:
- https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-10
modified: 2023-03-15
tags:
- attack.credential-access
- attack.t1003.004
logsource:
product: windows
service: security
detection:
selection:
EventID: 4692
condition: selection
falsepositives:
- If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event.
level: medium