← Back to Explore
sigmacriticalTTP
Antivirus - Password Dumper Signature
Detects a highly relevant Antivirus alert that reports password dumpers and stealers. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place and check if passwords need to be reset.
Detection Query
selection:
- Signature|startswith: PWS
- Signature|contains:
- Certify
- DCSync
- Creddump
- DumpCreds
- DumpLsass
- DumpPert
- FormBook
- HTool/WCE
- Kekeo
- Lazagne
- LsassDump
- Lummast
- Mimikatz
- MultiDump
- Multiverze
- Nanodump
- NativeDump
- Outflank
- PShlSpy
- PSWTool
- PWCrack
- PWDump
- PWS.
- PWSX
- pypykatz
- Rubeus
- SafetyKatz
- SecurityTool
- SharpChrome
- SharpDPAPI
- SharpDump
- SharpKatz
- SharpS.
- ShpKatz
- Steal
- TrickDump
- wsass
condition: selection
Author
Florian Roth (Nextron Systems), Arnim Rupp
Created
2018-09-09
Data Sources
antivirus
References
Tags
attack.credential-accessattack.t1003attack.t1558attack.t1003.001attack.t1003.002
Raw Content
title: Antivirus - Password Dumper Signature
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
status: stable
description: |
Detects a highly relevant Antivirus alert that reports password dumpers and stealers.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place and check if passwords need to be reset.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
- https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2026-06-15
tags:
- attack.credential-access
- attack.t1003
- attack.t1558
- attack.t1003.001
- attack.t1003.002
logsource:
category: antivirus
detection:
selection:
- Signature|startswith: 'PWS'
- Signature|contains:
- 'Certify'
- 'DCSync'
- 'Creddump'
- 'DumpCreds'
- 'DumpLsass'
- 'DumpPert'
- 'FormBook'
- 'HTool/WCE'
- 'Kekeo'
- 'Lazagne'
- 'LsassDump'
- 'Lummast'
- 'Mimikatz'
- 'MultiDump'
- 'Multiverze'
- 'Nanodump'
- 'NativeDump'
- 'Outflank'
- 'PShlSpy'
- 'PSWTool'
- 'PWCrack'
- 'PWDump'
- 'PWS.'
- 'PWSX'
- 'pypykatz'
- 'Rubeus'
- 'SafetyKatz'
- 'SecurityTool'
- 'SharpChrome'
- 'SharpDPAPI'
- 'SharpDump'
- 'SharpKatz'
- 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d
- 'ShpKatz'
- 'Steal'
- 'TrickDump'
- 'wsass'
condition: selection
falsepositives:
- Unlikely
level: critical