SigmaHQ/rules/windows/sysmon/sysmon_quarkspw_filedump.yml

title: QuarksPwDump Dump File
id: 847def9e-924d-4e90-b7c4-5f581395a2b4
status: experimental
description: Detects a dump file written by QuarksPwDump password dumper
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
author: Florian Roth
date: 2018/02/10
tags:
  - attack.credential_access
  - attack.t1003
level: critical
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        # Sysmon: File Creation (ID 11)
        EventID: 11
        TargetFilename: '*\AppData\Local\Temp\SAM-*.dmp*'
    condition: selection
falsepositives:
    - Unknown
Rule: QuarksPwDump temp dump file 2018-02-10 14:25:36 +00:00			`title: QuarksPwDump Dump File`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 847def9e-924d-4e90-b7c4-5f581395a2b4`
Rule: QuarksPwDump temp dump file 2018-02-10 14:25:36 +00:00			`status: experimental`
			`description: Detects a dump file written by QuarksPwDump password dumper`
			`references:`
			`- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm`
			`author: Florian Roth`
			`date: 2018/02/10`
Added missing tags and some minor improvements 2019-03-05 22:25:49 +00:00			`tags:`
			`- attack.credential_access`
			`- attack.t1003`
Rule: QuarksPwDump temp dump file 2018-02-10 14:25:36 +00:00			`level: critical`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`selection:`
			`# Sysmon: File Creation (ID 11)`
			`EventID: 11`
Various rule fixes * Field name: LogonProcess -> LogonProcessName * Field name: Message -> AuditPolicyChanges * Field name: ProcessCommandLine -> CommandLine * Removed Type match in Kerberos RC4 encryption rule Problematic because text representation not unified and audit failures are possibly interesting events * Removed field 'Severity' from rules (Redundant) * Rule decomposition of win_susp_failed_logons_single_source) because of different field names * Field name: SubjectAccountName -> SubjectUserName * Field name: TargetProcess -> TargetImage * Field name: TicketEncryption -> TicketEncryptionType * Field name: TargetFileName -> TargetFilename 2018-03-26 20:53:38 +00:00			`TargetFilename: '\AppData\Local\Temp\SAM-.dmp*'`
Rule: QuarksPwDump temp dump file 2018-02-10 14:25:36 +00:00			`condition: selection`
			`falsepositives:`
			`- Unknown`