valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
8d6a507ec4
SigmaHQ/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml
Thomas Patzke 924e1feb54 UUIDs + moved unsupported logic 
* Added UUIDs to all contributed rules
* Moved unsupported logic directory out of rules/ because this breaks CI
  testing.
2019-12-19 23:56:36 +01:00

26 lines
747 B
YAML
Raw Blame History

title: Cred dump-tools named pipes
id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
description: Detects well-known credential dumping tools execution via specific named pipes
author: Teymur Kheirkhabarov, oscd.community
date: 2019/11/01
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
- attack.credential_access
- attack.t1003
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 17
PipeName|contains:
- '\lsadump'
- '\cachedump'
- '\wceservicepipe'
condition: selection
falsepositives:
- Legitimate Administrator using tool for password recovery
level: medium
status: experimental
Reference in New Issue View Git Blame Copy Permalink