attack.t1003.002

Suspicious Process Writes Ntds.dit
level
status experimental

Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file

PowerShell SAM Copy
level
status experimental

Detects suspicious PowerShell scripts accessing SAM hives

QuarksPwDump Dump File
level
status test

Detects a dump file written by QuarksPwDump password dumper

SAM Dump to AppData
level
status test

Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers

Mimikatz Use
level
status experimental

This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)

VSSAudit Security Event Source Registration
level
status experimental

Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.

Transferring Files with Credential Data via Network Shares - Zeek
level
status test

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Transferring Files with Credential Data via Network Shares
level
status test

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Shadow Copies Creation Using Operating Systems Utilities
level
status test

Shadow Copies creation using operating systems utilities, possible credential access

Shadow Copies Access via Symlink
level
status test

Shadow Copies storage symbolic link creation using operating systems utilities

Registry Parse with Pypykatz
level
status experimental

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored

Registry Dump of SAM Creds and Secrets
level
status experimental

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored

QuarksPwDump Clearing Access History
level
status test

Detects QuarksPwDump clearing access history in hive

Possible Impacket SecretDump Remote Activity - Zeek
level
status test

Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml

Possible Impacket SecretDump Remote Activity
level
status experimental

Detect AD credential dumping using impacket secretdump HKTL

Mimikatz Command Line
level
status test

Detection well-known mimikatz command line arguments

Grabbing Sensitive Hives via Reg Utility
level
status test

Dump sam, system or security hives using REG.exe utility

Esentutl Volume Shadow Copy Service Keys
level
status experimental

Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\Volume are captured.

Credential Dumping Tools Service Execution
level
status experimental

Detects well-known credential dumping tools execution via service execution events

Cred Dump-Tools Named Pipes
level
status test

Detects well-known credential dumping tools execution via specific named pipes

Antivirus Password Dumper Detection
level
status test

Detects a highly relevant Antivirus alert that reports a password dumper

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.