Find sigma rule

Attack: OS Credential Dumping

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform Lateral Movement and access restricted information.

Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

MITRE

Tactic

credential-access

technique

T1003

Test : Dump Credential Manager using keymgr.dll and rundll32.exe

OS

windows

Description:

This test executes the exported function KRShowKeyMgr located in keymgr.dll using rundll32.exe. It opens a window that allows to export stored Windows credentials from the credential manager to a file (.crd by default). The file can then be retrieved and imported on an attacker-controlled computer to list the credentials get the passwords. The only limitation is that it requires a CTRL+ALT+DELETE input from the attacker, which can be achieve multiple ways (e.g. a custom implant with remote control capabilities, enabling RDP, etc.). Reference: https://twitter.com/0gtweet/status/1415671356239216653

Executor

powershell

Sigma Rule

posh_ps_susp_keywords.yml (id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf)
proc_creation_win_powershell_susp_child_processes.yml (id: e4b6d2a7-d8a4-4f19-acbd-943c16d90647)
proc_creation_win_rundll32_uncommon_dll_extension.yml (id: c3a99af4-35a9-4668-879e-c09aeb4f2bdf)
proc_creation_win_rundll32_keymgr.yml (id: a4694263-59a8-4608-a3a0-6f8d3a51664c)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test