Find sigma rule
Attack: OS Credential Dumping
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform Lateral Movement and access restricted information.
Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
MITRE
Tactic
- credential-access
technique
- T1003
Test : Dump svchost.exe to gather RDP credentials
OS
- windows
Description:
The svchost.exe contains the RDP plain-text credentials. Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
Executor
powershell
Sigma Rule
-
posh_pm_susp_get_nettcpconnection.yml (id: aff815cc-e400-4bf0-a47a-5d8a2407d4e1)
-
posh_ps_susp_keywords.yml (id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf)
-
proc_creation_win_rundll32_process_dump_via_comsvcs.yml (id: 646ea171-dded-4578-8a4d-65e9822892e3)
-
image_load_dll_dbghelp_dbgcore_susp_load.yml (id: 0e277796-5f23-4e49-a490-483131d4f6e1)