Cred Dump Tools Dropped Files

Severity: high
Author: Teymur Kheirkhabarov, oscd.community
Source: upstream

Files with well-known filenames (parts of credential dump software or files produced by them) creation

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1003.001` OS Credential Dumping: LSASS Memory, `T1003.002` OS Credential Dumping: Security Account Manager, `T1003.003` OS Credential Dumping: NTDS, `T1003.004` OS Credential Dumping: LSA Secrets, `T1003.005` OS Credential Dumping: Cached Domain Credentials

Event coverage

Provider	Event ID	Title
Sysmon	11	FileCreate

Stages and Predicates

Stage 1: `selection`

or:
TargetFilename|endswith: '\DumpExt.dll'
TargetFilename|endswith: '\DumpSvc.exe'
TargetFilename|endswith: '\Dumpy.exe'
TargetFilename|endswith: '\NTDS.out'
TargetFilename|endswith: '\SAM.out'
TargetFilename|endswith: '\SECURITY.out'
TargetFilename|endswith: '\SYSTEM.out'
TargetFilename|endswith: '\cachedump.exe'
TargetFilename|endswith: '\cachedump64.exe'
TargetFilename|endswith: '\fgexec.exe'
TargetFilename|endswith: '\lsremora.dll'
TargetFilename|endswith: '\lsremora64.dll'
TargetFilename|endswith: '\procdump.exe'
TargetFilename|endswith: '\procdump64.exe'
TargetFilename|endswith: '\procdump64a.exe'
TargetFilename|endswith: '\pstgdump.exe'
TargetFilename|endswith: '\pwdump.exe'
TargetFilename|endswith: '\servpw.exe'
TargetFilename|endswith: '\servpw64.exe'
TargetFilename|endswith: '\test.pwd'
TargetFilename|endswith: '\wceaux.dll'
TargetFilename|contains: '\fgdump-log'
TargetFilename|contains: '\kirbi'
TargetFilename|contains: '\pwdump'
TargetFilename|contains: '\pwhashes'
TargetFilename|contains: '\wce_ccache'
TargetFilename|contains: '\wce_krbtkts'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.