Sigma detection rules

Home/Sigma rules

Sigma

8 rules indexed · SIEM-agnostic detection content

Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.

Severity critical high medium low all severities

◈

Detection rules

8 shown of 8

critical

HackTool - Credential Dumping Tools Named Pipe Created

Detects well-known credential dumping tools execution via specific named pipe creation

status test author Teymur Kheirkhabarov, oscd.community id 961d0ba2-3eea-4303-a930-2cf78bbfcc5e

view Sigma YAML

title: HackTool - Credential Dumping Tools Named Pipe Created
id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
status: test
description: Detects well-known credential dumping tools execution via specific named pipe creation
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2023-08-07
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName|contains:
            - '\cachedump'
            - '\lsadump'
            - '\wceservicepipe'
    condition: selection
falsepositives:
    - Legitimate Administrator using tool for password recovery
level: critical

high

Cred Dump Tools Dropped Files

Files with well-known filenames (parts of credential dump software or files produced by them) creation

status test author Teymur Kheirkhabarov, oscd.community id 8fbf3271-1ef6-4e94-8210-03c2317947f6

view Sigma YAML

title: Cred Dump Tools Dropped Files
id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
status: test
description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2025-10-25
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.003
    - attack.t1003.004
    - attack.t1003.005
logsource:
    category: file_event
    product: windows
detection:
    selection:
        - TargetFilename|contains:
              - '\fgdump-log'
              - '\kirbi'
              - '\pwdump'
              - '\pwhashes'
              - '\wce_ccache'
              - '\wce_krbtkts'
        - TargetFilename|endswith:
              - '\cachedump.exe'
              - '\cachedump64.exe'
              - '\DumpExt.dll'
              - '\DumpSvc.exe'
              - '\Dumpy.exe'
              - '\fgexec.exe'
              - '\lsremora.dll'
              - '\lsremora64.dll'
              - '\NTDS.out'
              - '\procdump.exe'
              - '\procdump64.exe'
              - '\procdump64a.exe'
              - '\pstgdump.exe'
              - '\pwdump.exe'
              - '\SAM.out'
              - '\SECURITY.out'
              - '\servpw.exe'
              - '\servpw64.exe'
              - '\SYSTEM.out'
              - '\test.pwd'
              - '\wceaux.dll'
    condition: selection
falsepositives:
    - Legitimate Administrator using tool for password recovery
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml

high

Credential Dumping Tools Service Execution - Security

Detects well-known credential dumping tools execution via service execution events

status test author Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community id f0d1feba-4344-4ca9-8121-a6c97bd6df52

view Sigma YAML

title: Credential Dumping Tools Service Execution - Security
id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
related:
    - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
      type: derived
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
    - attack.credential-access
    - attack.execution
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
    - attack.t1003.006
    - attack.t1569.002
    - attack.s0005
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains:
            - 'cachedump'
            - 'dumpsvc'
            - 'fgexec'
            - 'gsecdump'
            - 'mimidrv'
            - 'pwdump'
            - 'servpw'
    condition: selection
falsepositives:
    - Legitimate Administrator using credential dumping tool for password recovery
level: high

high

Credential Dumping Tools Service Execution - System

Detects well-known credential dumping tools execution via service execution events

status test author Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community id 4976aa50-8f41-45c6-8b15-ab3fc10e79ed

view Sigma YAML

title: Credential Dumping Tools Service Execution - System
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
    - attack.credential-access
    - attack.execution
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
    - attack.t1003.006
    - attack.t1569.002
    - attack.s0005
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains:
            - 'cachedump'
            - 'dumpsvc'
            - 'fgexec'
            - 'gsecdump'
            - 'mimidrv'
            - 'pwdump'
            - 'servpw'
    condition: selection
falsepositives:
    - Legitimate Administrator using credential dumping tool for password recovery
level: high

high

Dumping of Sensitive Hives Via Reg.EXE

Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.

status test author Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113 id fd877b94-9bb5-4191-bb25-d79cbd93c167

view Sigma YAML

title: Dumping of Sensitive Hives Via Reg.EXE
id: fd877b94-9bb5-4191-bb25-d79cbd93c167
related:
    - id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e
      type: obsolete
    - id: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0
      type: obsolete
status: test
description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md
    - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets
author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113
date: 2019-10-22
modified: 2023-12-13
tags:
    - attack.credential-access
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
    - car.2013-07-001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_cli_flag:
        CommandLine|contains:
            - ' save '
            - ' export '
            - ' ˢave '
            - ' eˣport '
    selection_cli_hklm:
        CommandLine|contains:
            - 'hklm'
            - 'hk˪m'
            - 'hkey_local_machine'
            - 'hkey_˪ocal_machine'
            - 'hkey_loca˪_machine'
            - 'hkey_˪oca˪_machine'
    selection_cli_hive:
        CommandLine|contains:
            - '\system'
            - '\sam'
            - '\security'
            - '\ˢystem'
            - '\syˢtem'
            - '\ˢyˢtem'
            - '\ˢam'
            - '\ˢecurity'
    condition: all of selection_*
falsepositives:
    - Dumping hives for legitimate purpouse i.e. backup or forensic investigation
level: high

high

HackTool - Mimikatz Execution

Detection well-known mimikatz command line arguments

status test author Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton id a642964e-bead-4bed-8910-1bb4d63e3b4d

view Sigma YAML

title: HackTool - Mimikatz Execution
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
status: test
description: Detection well-known mimikatz command line arguments
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://tools.thehacker.recipes/mimikatz/modules
author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton
date: 2019-10-22
modified: 2023-02-21
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
    - attack.t1003.006
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools_name:
        CommandLine|contains:
            - 'DumpCreds'
            - 'mimikatz'
    selection_function_names: # To cover functions from modules that are not in module_names
        CommandLine|contains:
            - '::aadcookie' # misc module
            - '::detours' # misc module
            - '::memssp' # misc module
            - '::mflt' # misc module
            - '::ncroutemon' # misc module
            - '::ngcsign' # misc module
            - '::printnightmare' # misc module
            - '::skeleton' # misc module
            - '::preshutdown'  # service module
            - '::mstsc'  # ts module
            - '::multirdp'  # ts module
    selection_module_names:
        CommandLine|contains:
            - 'rpc::'
            - 'token::'
            - 'crypto::'
            - 'dpapi::'
            - 'sekurlsa::'
            - 'kerberos::'
            - 'lsadump::'
            - 'privilege::'
            - 'process::'
            - 'vault::'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

high

Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE

Detects usage of cmdkey to look for cached credentials on the system

status test author jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) id 07f8bdc2-c9b3-472a-9817-5a670b872f53

view Sigma YAML

title: Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
id: 07f8bdc2-c9b3-472a-9817-5a670b872f53
status: test
description: Detects usage of cmdkey to look for cached credentials on the system
references:
    - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
    - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
    - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey
author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2024-03-05
tags:
    - attack.credential-access
    - attack.t1003.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmdkey.exe'
        - OriginalFileName: 'cmdkey.exe'
    selection_cli:
        CommandLine|contains|windash: ' -l'
    condition: all of selection*
falsepositives:
    - Legitimate administrative tasks
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_recon/info.yml
simulation:
    - type: atomic-red-team
      name: Cached Credential Dump via Cmdkey
      technique: T1003.005
      atomic_guid: 56506854-89d6-46a3-9804-b7fde90791f9

medium

New Generic Credentials Added Via Cmdkey.EXE

Detects usage of "cmdkey.exe" to add generic credentials. As an example, this can be used before connecting to an RDP session via command line interface.

status test author frack113, Nasreddine Bencherchali (Nextron Systems) id b1ec66c6-f4d1-4b5c-96dd-af28ccae7727

view Sigma YAML

title: New Generic Credentials Added Via Cmdkey.EXE
id: b1ec66c6-f4d1-4b5c-96dd-af28ccae7727
status: test
description: |
    Detects usage of "cmdkey.exe" to add generic credentials.
    As an example, this can be used before connecting to an RDP session via command line interface.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-03
modified: 2024-03-05
tags:
    - attack.credential-access
    - attack.t1003.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmdkey.exe'
        - OriginalFileName: 'cmdkey.exe'
    selection_cli_generic:
        CommandLine|contains|windash: ' -g' # Generic
    selection_cli_user:
        CommandLine|contains|windash: ' -u' # User
    selection_cli_password:
        CommandLine|contains|windash: ' -p' # Password
    condition: all of selection_*
falsepositives:
    - Legitimate usage for administration purposes
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/info.yml
simulation:
    - type: atomic-red-team
      name: RDP to DomainController
      technique: T1021.001
      atomic_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e

Showing 1-8 of 8

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin