EXPLORE
← Back to Explore
sigmacriticalTTP

Antivirus - Password Dumper Signature

Detects a highly relevant Antivirus alert that reports password dumpers and stealers. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place and check if passwords need to be reset.

MITRE ATT&CK

credential-access

Detection Query

selection:
  - Signature|startswith: PWS
  - Signature|contains:
      - Certify
      - DCSync
      - Creddump
      - DumpCreds
      - DumpLsass
      - DumpPert
      - FormBook
      - HTool/WCE
      - Kekeo
      - Lazagne
      - LsassDump
      - Lummast
      - Mimikatz
      - MultiDump
      - Multiverze
      - Nanodump
      - NativeDump
      - Outflank
      - PShlSpy
      - PSWTool
      - PWCrack
      - PWDump
      - PWS.
      - PWSX
      - pypykatz
      - Rubeus
      - SafetyKatz
      - SecurityTool
      - SharpChrome
      - SharpDPAPI
      - SharpDump
      - SharpKatz
      - SharpS.
      - ShpKatz
      - Steal
      - TrickDump
      - wsass
condition: selection

Author

Florian Roth (Nextron Systems), Arnim Rupp

Created

2018-09-09

Data Sources

antivirus

Tags

attack.credential-accessattack.t1003attack.t1558attack.t1003.001attack.t1003.002
Raw Content
title: Antivirus - Password Dumper Signature
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
status: stable
description: |
    Detects a highly relevant Antivirus alert that reports password dumpers and stealers.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place and check if passwords need to be reset.
references:
    - https://www.nextron-systems.com/?s=antivirus
    - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
    - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2026-06-15
tags:
    - attack.credential-access
    - attack.t1003
    - attack.t1558
    - attack.t1003.001
    - attack.t1003.002
logsource:
    category: antivirus
detection:
    selection:
        - Signature|startswith: 'PWS'
        - Signature|contains:
              - 'Certify'
              - 'DCSync'
              - 'Creddump'
              - 'DumpCreds'
              - 'DumpLsass'
              - 'DumpPert'
              - 'FormBook'
              - 'HTool/WCE'
              - 'Kekeo'
              - 'Lazagne'
              - 'LsassDump'
              - 'Lummast'
              - 'Mimikatz'
              - 'MultiDump'
              - 'Multiverze'
              - 'Nanodump'
              - 'NativeDump'
              - 'Outflank'
              - 'PShlSpy'
              - 'PSWTool'
              - 'PWCrack'
              - 'PWDump'
              - 'PWS.'
              - 'PWSX'
              - 'pypykatz'
              - 'Rubeus'
              - 'SafetyKatz'
              - 'SecurityTool'
              - 'SharpChrome'
              - 'SharpDPAPI'
              - 'SharpDump'
              - 'SharpKatz'
              - 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d
              - 'ShpKatz'
              - 'Steal'
              - 'TrickDump'
              - 'wsass'
    condition: selection
falsepositives:
    - Unlikely
level: critical