title: Credential Dumping Tools Service Execution
author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017/03/05
description: Detects well-known credential dumping tools execution via service execution
  events
detection:
  SELECTION_1:
    EventID: 6
  SELECTION_2:
    ImageLoaded:
    - '*fgexec*'
    - '*dumpsvc*'
    - '*cachedump*'
    - '*mimidrv*'
    - '*gsecdump*'
    - '*servpw*'
    - '*pwdump*'
  condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2
level: critical
logsource:
  category: driver_load
  product: windows
modified: 2021/11/10
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
related:
- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
  type: derived
status: experimental
tags:
- attack.credential_access
- attack.execution
- attack.t1003
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
- attack.t1035
- attack.t1569.002
- attack.s0005
ruletype: SIGMA