Detection rules › Kusto Query Language

Credential Dumping Tools - File Artifacts

Source: upstream

'This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names. Ref: https://jpcertcc.github.io/ToolAnalysisResultSheet/'

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1003.001` OS Credential Dumping: LSASS Memory

Event coverage

Provider	Event ID	Title
Sysmon	11	FileCreate

Stages and Predicates

Stage 1: `source`

Event

Stage 2: `where`

and
  EventID eq "11"
  EventLog eq "Microsoft-Windows-Sysmon/Operational"

Stage 3: `parse`

Stage 4: `where`

TargetFilename match "MaliciousFileArtifacts"

Stage 5: `parse`

Stage 6: `summarize`

Stage 7: `extend`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventID`	eq	`11` corpus 10 (splunk 10)
`EventLog`	eq	`Microsoft-Windows-Sysmon/Operational`
`TargetFilename`	match	`MaliciousFileArtifacts`

Credential Dumping Tools - File Artifacts

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: where

Stage 3: parse

Stage 4: where

Stage 5: parse

Stage 6: summarize

Stage 7: extend