← Back to Explore
sigmahighHunting
HackTool - Quarks PwDump Execution
Detects usage of the Quarks PwDump tool via commandline arguments
Detection Query
selection_img:
Image|endswith: \QuarksPwDump.exe
selection_cli:
CommandLine:
- " -dhl"
- " --dump-hash-local"
- " -dhdc"
- " --dump-hash-domain-cached"
- " --dump-bitlocker"
- " -dhd "
- " --dump-hash-domain "
- --ntds-file
condition: 1 of selection_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-09-05
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.credential-accessattack.t1003.002
Raw Content
title: HackTool - Quarks PwDump Execution
id: 0685b176-c816-4837-8e7b-1216f346636b
status: test
description: Detects usage of the Quarks PwDump tool via commandline arguments
references:
- https://github.com/quarkslab/quarkspwdump
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-05
modified: 2023-02-05
tags:
- attack.credential-access
- attack.t1003.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\QuarksPwDump.exe'
selection_cli:
CommandLine:
- ' -dhl'
- ' --dump-hash-local'
- ' -dhdc'
- ' --dump-hash-domain-cached'
- ' --dump-bitlocker'
- ' -dhd '
- ' --dump-hash-domain '
- '--ntds-file'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high