SigmaHQ/rules/windows/malware/av_password_dumper.yml
2020-10-15 16:11:52 -03:00

35 lines
848 B
YAML

title: Antivirus Password Dumper Detection
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
description: Detects a highly relevant Antivirus alert that reports a password dumper
date: 2018/09/09
modified: 2019/10/04
author: Florian Roth
references:
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
tags:
- attack.credential_access
- attack.t1003
- attack.t1558
- attack.t1003.001
- attack.t1003.002
logsource:
product: antivirus
detection:
selection:
Signature|contains:
- "DumpCreds"
- "Mimikatz"
- "PWCrack"
- "Tool/WCE"
- "PSWtool"
- "PWDump"
- "SecurityTool"
- "PShlSpy"
condition: selection
fields:
- FileName
- User
falsepositives:
- Unlikely
level: critical