Find sigma rule

Attack: OS Credential Dumping

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform Lateral Movement and access restricted information.

Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

MITRE

Tactic

credential-access

technique

T1003

Test : Gsecdump

OS

windows

Description:

Dump credentials from memory using Gsecdump.

Upon successful execution, you should see domain\username’s followed by two 32 character hashes.

If you see output that says “compat: error: failed to create child process”, execution was likely blocked by Anti-Virus. You will receive only error output if you do not run this test from an elevated context (run as administrator)

If you see a message saying “The system cannot find the path specified”, try using the get-prereq_commands to download and install Gsecdump first.

Executor

command_prompt

Sigma Rule

proc_access_win_lsass_susp_access_flag.yml (id: a18dd26b-6450-46de-8c91-9659150cf088)
proc_access_win_lsass_susp_source_process.yml (id: fa34b441-961a-42fa-a100-ecc28c886725)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test