Detection rules › Sigma
HackTool - Generic Process Access
Detects process access requests from hacktool processes based on their default image name
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003.001 OS Credential Dumping: LSASS Memory |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 10 | ProcessAccess |
Stages and Predicates
Stage 1: selection
or:
SourceImage|endswith: '\Akagi.exe'
SourceImage|endswith: '\Akagi64.exe'
SourceImage|endswith: '\Certify.exe'
SourceImage|endswith: '\Certipy.exe'
SourceImage|endswith: '\CoercedPotato.exe'
SourceImage|endswith: '\CreateMiniDump.exe'
SourceImage|endswith: '\GetADUsers_windows.exe'
SourceImage|endswith: '\GetNPUsers_windows.exe'
SourceImage|endswith: '\GetUserSPNs_windows.exe'
SourceImage|endswith: '\Inveigh.exe'
SourceImage|endswith: '\LocalPotato.exe'
SourceImage|endswith: '\PasswordDump.exe'
SourceImage|endswith: '\Potato.exe'
SourceImage|endswith: '\PowerTool.exe'
SourceImage|endswith: '\PowerTool64.exe'
SourceImage|endswith: '\PurpleSharp.exe'
SourceImage|endswith: '\QuarksPwDump.exe'
SourceImage|endswith: '\Rubeus.exe'
SourceImage|endswith: '\SafetyKatz.exe'
SourceImage|endswith: '\SelectMyParent.exe'
SourceImage|endswith: '\SharPersist.exe'
SourceImage|endswith: '\SharpChisel.exe'
SourceImage|endswith: '\SharpEvtMute.exe'
SourceImage|endswith: '\SharpImpersonation.exe'
SourceImage|endswith: '\SharpLDAPmonitor.exe'
SourceImage|endswith: '\SharpLdapWhoami.exe'
SourceImage|endswith: '\SharpUp.exe'
SourceImage|endswith: '\SharpView.exe'
SourceImage|endswith: '\SpoolSample.exe'
SourceImage|endswith: '\Stracciatella.exe'
SourceImage|endswith: '\SysmonEOP.exe'
SourceImage|endswith: '\TruffleSnout.exe'
SourceImage|endswith: '\atexec_windows.exe'
SourceImage|endswith: '\crackmapexec.exe'
SourceImage|endswith: '\dcomexec_windows.exe'
SourceImage|endswith: '\dpapi_windows.exe'
SourceImage|endswith: '\findDelegation_windows.exe'
SourceImage|endswith: '\getPac_windows.exe'
SourceImage|endswith: '\getST_windows.exe'
SourceImage|endswith: '\getTGT_windows.exe'
SourceImage|endswith: '\gmer.exe'
SourceImage|endswith: '\hashcat.exe'
SourceImage|endswith: '\htran.exe'
SourceImage|endswith: '\ifmap_windows.exe'
SourceImage|endswith: '\impersonate.exe'
SourceImage|endswith: '\mimikatz.exe'
SourceImage|endswith: '\mimikatz_windows.exe'
SourceImage|endswith: '\netview_windows.exe'
SourceImage|endswith: '\nmapAnswerMachine_windows.exe'
SourceImage|endswith: '\opdump_windows.exe'
SourceImage|endswith: '\psexec_windows.exe'
SourceImage|endswith: '\pypykatz.exe'
SourceImage|endswith: '\rdp_check_windows.exe'
SourceImage|endswith: '\sambaPipe_windows.exe'
SourceImage|endswith: '\smbclient_windows.exe'
SourceImage|endswith: '\smbserver_windows.exe'
SourceImage|endswith: '\sniff_windows.exe'
SourceImage|endswith: '\sniffer_windows.exe'
SourceImage|endswith: '\split_windows.exe'
SourceImage|endswith: '\temp\rot.exe'
SourceImage|endswith: '\ticketer_windows.exe'
SourceImage|endswith: '\winPEASany.exe'
SourceImage|endswith: '\winPEASany_ofs.exe'
SourceImage|endswith: '\winPEASx64.exe'
SourceImage|endswith: '\winPEASx64_ofs.exe'
SourceImage|endswith: '\winPEASx86.exe'
SourceImage|endswith: '\winPEASx86_ofs.exe'
SourceImage|endswith: '\xordump.exe'
SourceImage|contains: HotPotato
SourceImage|contains: 'Juicy Potato'
SourceImage|contains: JuicyPotato
SourceImage|contains: PetitPotam
SourceImage|contains: RottenPotato
SourceImage|contains: '\LocalPotato'
SourceImage|contains: '\goldenPac'
SourceImage|contains: '\just_dce_'
SourceImage|contains: '\karmaSMB'
SourceImage|contains: '\kintercept'
SourceImage|contains: '\ntlmrelayx'
SourceImage|contains: '\rpcdump'
SourceImage|contains: '\samrdump'
SourceImage|contains: '\secretsdump'
SourceImage|contains: '\smbexec'
SourceImage|contains: '\smbrelayx'
SourceImage|contains: '\wmiexec'
SourceImage|contains: '\wmipersist'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
SourceImage | ends_with |
|
SourceImage | match |
|