detection.wiki

Detection rules › Sigma

Credential Dumping Tools Service Execution - Security

Severity
high
Author
Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
Source
upstream

Detects well-known credential dumping tools execution via service execution events

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1569.002 System Services: Service Execution
Credential AccessT1003.001 OS Credential Dumping: LSASS Memory, T1003.002 OS Credential Dumping: Security Account Manager, T1003.004 OS Credential Dumping: LSA Secrets, T1003.005 OS Credential Dumping: Cached Domain Credentials, T1003.006 OS Credential Dumping: DCSync

Event coverage

ProviderEvent IDTitle
Security-Auditing4697A service was installed in the system.

Stages and Predicates

Stage 1: selection

or:
ServiceFileName|contains: cachedump
ServiceFileName|contains: dumpsvc
ServiceFileName|contains: fgexec
ServiceFileName|contains: gsecdump
ServiceFileName|contains: mimidrv
ServiceFileName|contains: pwdump
ServiceFileName|contains: servpw

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
ServiceFileNamematch
  • cachedump
  • dumpsvc
  • fgexec
  • gsecdump
  • mimidrv
  • pwdump
  • servpw

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.