EXPLORE
Sign In
← Back to Explore
sigmacriticalTTP

Antivirus Password Dumper Detection

Detects a highly relevant Antivirus alert that reports a password dumper. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

MITRE ATT&CK

T1003T1558T1003.001T1003.002
credential-access

Detection Query

selection:
  - Signature|startswith: PWS
  - Signature|contains:
      - Certify
      - DCSync
      - DumpCreds
      - DumpLsass
      - DumpPert
      - HTool/WCE
      - Kekeo
      - Lazagne
      - LsassDump
      - Mimikatz
      - MultiDump
      - Nanodump
      - NativeDump
      - Outflank
      - PShlSpy
      - PSWTool
      - PWCrack
      - PWDump
      - PWS.
      - PWSX
      - pypykatz
      - Rubeus
      - SafetyKatz
      - SecurityTool
      - SharpChrome
      - SharpDPAPI
      - SharpDump
      - SharpKatz
      - SharpS.
      - ShpKatz
      - TrickDump
condition: selection

Author

Florian Roth (Nextron Systems), Arnim Rupp

Created

2018-09-09

Data Sources

antivirus

References

Tags

attack.credential-accessattack.t1003attack.t1558attack.t1003.001attack.t1003.002
Raw Content
title: Antivirus Password Dumper Detection
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
status: stable
description: |
    Detects a highly relevant Antivirus alert that reports a password dumper.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/?s=antivirus
    - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
    - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
    - attack.credential-access
    - attack.t1003
    - attack.t1558
    - attack.t1003.001
    - attack.t1003.002
logsource:
    category: antivirus
detection:
    selection:
        - Signature|startswith: 'PWS'
        - Signature|contains:
              - 'Certify'
              - 'DCSync'
              - 'DumpCreds'
              - 'DumpLsass'
              - 'DumpPert'
              - 'HTool/WCE'
              - 'Kekeo'
              - 'Lazagne'
              - 'LsassDump'
              - 'Mimikatz'
              - 'MultiDump'
              - 'Nanodump'
              - 'NativeDump'
              - 'Outflank'
              - 'PShlSpy'
              - 'PSWTool'
              - 'PWCrack'
              - 'PWDump'
              - 'PWS.'
              - 'PWSX'
              - 'pypykatz'
              - 'Rubeus'
              - 'SafetyKatz'
              - 'SecurityTool'
              - 'SharpChrome'
              - 'SharpDPAPI'
              - 'SharpDump'
              - 'SharpKatz'
              - 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d
              - 'ShpKatz'
              - 'TrickDump'
    condition: selection
falsepositives:
    - Unlikely
level: critical