title: SVCHOST Credential Dump
author: Florent Labouyrie
date: 2021/04/30
description: Detects when a process, such as mimikatz, accesses the memory of svchost
  to dump credentials
detection:
  SELECTION_1:
    EventID: 10
  SELECTION_2:
    TargetImage: '*\svchost.exe'
  SELECTION_3:
    GrantedAccess: '0x143a'
  SELECTION_4:
    SourceImage:
    - '*\services.exe'
    - '*\msiexec.exe'
  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
falsepositives:
- Non identified legit exectubale
id: 174afcfa-6e40-4ae9-af64-496546389294
level: critical
logsource:
  category: process_access
  product: windows
status: experimental
tags:
- attack.t1548
ruletype: SIGMA