atomic-threat-coverage/detection_rules/win_mal_creddumper.yml

title: Malicious Service Install
description: This method detects well-known keywords of malicious services in the Windows System Eventlog 
author: Florian Roth
tags:
    - attack.credential_access
    - attack.t1003
    - attack.s0005
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 
          - 7045
          - 4697
    keywords:
      - 'WCE SERVICE'
      - 'WCESERVICE'
      - 'DumpSvc'
    quarkspwdump:
        EventID: 16
        HiveName: '*\AppData\Local\Temp\SAM*.dmp'
    condition: ( selection and keywords ) or quarkspwdump
falsepositives:
    - Unlikely
level: high
Fixing DN for Detection Rule 2019-02-10 22:02:42 +00:00			`title: Malicious Service Install`
			`description: This method detects well-known keywords of malicious services in the Windows System Eventlog`
			`author: Florian Roth`
			`tags:`
			`- attack.credential_access`
			`- attack.t1003`
			`- attack.s0005`
			`logsource:`
			`product: windows`
			`service: system`
			`detection:`
			`selection:`
			`EventID:`
			`- 7045`
			`- 4697`
			`keywords:`
			`- 'WCE SERVICE'`
			`- 'WCESERVICE'`
			`- 'DumpSvc'`
			`quarkspwdump:`
			`EventID: 16`
			`HiveName: '\AppData\Local\Temp\SAM.dmp'`
			`condition: ( selection and keywords ) or quarkspwdump`
			`falsepositives:`
			`- Unlikely`
			`level: high`