Find sigma rule

Attack: OS Credential Dumping

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform Lateral Movement and access restricted information.

Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

MITRE

Tactic

credential-access

technique

T1003

Test : Send NTLM Hash with RPC Test Connection

OS

windows

Description:

RpcPing command can be used to send an RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. Ref: https://twitter.com/vysecurity/status/974806438316072960

Executor

powershell

Sigma Rule

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test