title: Antivirus Password Dumper Detection
author: Florian Roth
date: 2018/09/09
description: Detects a highly relevant Antivirus alert that reports a password dumper
detection:
  SELECTION_1:
    Signature:
    - '*DumpCreds*'
    - '*Mimikatz*'
    - '*PWCrack*'
    - '*HTool/WCE*'
    - '*PSWtool*'
    - '*PWDump*'
    - '*SecurityTool*'
    - '*PShlSpy*'
    - '*Rubeus*'
    - '*Kekeo*'
    - '*LsassDump*'
    - '*Outflank*'
  condition: SELECTION_1
falsepositives:
- Unlikely
fields:
- FileName
- User
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
level: critical
logsource:
  product: antivirus
modified: 2019/10/04
references:
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
- https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1558
- attack.t1003.001
- attack.t1003.002
ruletype: SIGMA