Find sigma rule 
Attack: OS Credential Dumping
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform Lateral Movement and access restricted information.
Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
MITRE
Tactic
- credential-access
technique
- T1003
Test : Credential Dumping with NPPSpy
OS
- windows
Description:
Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy. After user’s logging in cleartext password is saved in C:\NPPSpy.txt. Clean up deletes the files and reverses Registry changes. NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
Executor
powershell
Sigma Rule
-
file_event_win_hktl_nppspy.yml (id: cad1fe90-2406-44dc-bd03-59d0b58fe722)
-
registry_set_asep_reg_keys_modification_currentcontrolset.yml (id: f674e36a-4b91-431e-8aef-f8a96c2aca35)