SigmaHQ/rules/windows/builtin/win_mal_creddumper.yml

title: Malicious Service Install
description: This method detects well-known keywords of malicious services in the Windows System Eventlog 
author: Florian Roth
tags:
    - attack.credential_access
    - attack.t1003
    - attack.s0005
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 
          - 7045
          - 4697
    keywords:
      - 'WCE SERVICE'
      - 'WCESERVICE'
      - 'DumpSvc'
    quarkspwdump:
        EventID: 16
        HiveName: '*\AppData\Local\Temp\SAM*.dmp'
    condition: ( selection and keywords ) or quarkspwdump
falsepositives:
    - Unlikely
level: high