title: Credential Dumping Tools Service Execution
author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017/03/05
description: Detects well-known credential dumping tools execution via service execution
    events
detection:
    SELECTION_1:
        EventID: 7045
    SELECTION_2:
        ImagePath: '*fgexec*'
    SELECTION_3:
        ImagePath: '*dumpsvc*'
    SELECTION_4:
        ImagePath: '*cachedump*'
    SELECTION_5:
        ImagePath: '*mimidrv*'
    SELECTION_6:
        ImagePath: '*gsecdump*'
    SELECTION_7:
        ImagePath: '*servpw*'
    SELECTION_8:
        ImagePath: '*pwdump*'
    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
        or SELECTION_6 or SELECTION_7 or SELECTION_8))
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
level: high
logsource:
    product: windows
    service: system
modified: 2021/09/21
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
- attack.credential_access
- attack.execution
- attack.t1003
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
- attack.t1035
- attack.t1569.002
- attack.s0005
yml_filename: win_mal_creddumper.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin