← Back to Explore
sigmahighHunting
Credential Dumping Tools Service Execution - Security
Detects well-known credential dumping tools execution via service execution events
Detection Query
selection:
EventID: 4697
ServiceFileName|contains:
- cachedump
- dumpsvc
- fgexec
- gsecdump
- mimidrv
- pwdump
- servpw
condition: selection
Author
Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
Created
2017-03-05
Data Sources
windowssecurity
Platforms
windows
References
Tags
attack.credential-accessattack.executionattack.t1003.001attack.t1003.002attack.t1003.004attack.t1003.005attack.t1003.006attack.t1569.002attack.s0005
Raw Content
title: Credential Dumping Tools Service Execution - Security
id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
related:
- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
type: derived
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
- attack.credential-access
- attack.execution
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
- attack.t1569.002
- attack.s0005
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains:
- 'cachedump'
- 'dumpsvc'
- 'fgexec'
- 'gsecdump'
- 'mimidrv'
- 'pwdump'
- 'servpw'
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
level: high