SigmaHQ/rules/windows/builtin/win_mal_creddumper.yml

---
action: global
title: Malicious Service Install
description: This method detects well-known keywords of malicious services in the Windows System Eventlog 
author: Florian Roth
tags:
    - attack.credential_access
    - attack.t1003
    - attack.s0005
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 
          - 7045
          - 4697
    keywords:
      - 'WCE SERVICE'
      - 'WCESERVICE'
      - 'DumpSvc'
    quarkspwdump:
        EventID: 16
        HiveName: '*\AppData\Local\Temp\SAM*.dmp'
    condition: ( selection and keywords ) or quarkspwdump
falsepositives:
    - Unlikely
level: high
---
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4697
atc review 2019-03-06 04:25:12 +00:00			`---`
			`action: global`
Windows Malicious Password Dumper Service Installs 2017-03-05 22:52:02 +00:00			`title: Malicious Service Install`
			`description: This method detects well-known keywords of malicious services in the Windows System Eventlog`
			`author: Florian Roth`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`tags:`
			`- attack.credential_access`
			`- attack.t1003`
			`- attack.s0005`
Windows Malicious Password Dumper Service Installs 2017-03-05 22:52:02 +00:00			`logsource:`
			`product: windows`
			`service: system`
			`detection:`
			`selection:`
			`EventID:`
			`- 7045`
			`- 4697`
			`keywords:`
			`- 'WCE SERVICE'`
			`- 'WCESERVICE'`
			`- 'DumpSvc'`
			`quarkspwdump:`
			`EventID: 16`
			`HiveName: '\AppData\Local\Temp\SAM.dmp'`
			`condition: ( selection and keywords ) or quarkspwdump`
			`falsepositives:`
			`- Unlikely`
			`level: high`
atc review 2019-03-06 04:25:12 +00:00			`---`
			`logsource:`
			`product: windows`
			`service: security`
			`detection:`
			`selection:`
			`EventID: 4697`