Find sigma rule

Attack: OS Credential Dumping

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform Lateral Movement and access restricted information.

Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

MITRE

Tactic

credential-access

technique

T1003

Test : Dump svchost.exe to gather RDP credentials

OS

windows

Description:

The svchost.exe contains the RDP plain-text credentials. Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/

Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.

Executor

powershell

Sigma Rule

posh_pm_susp_get_nettcpconnection.yml (id: aff815cc-e400-4bf0-a47a-5d8a2407d4e1)
posh_ps_susp_keywords.yml (id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf)
proc_creation_win_rundll32_process_dump_via_comsvcs.yml (id: 646ea171-dded-4578-8a4d-65e9822892e3)
image_load_dll_dbghelp_dbgcore_susp_load.yml (id: 0e277796-5f23-4e49-a490-483131d4f6e1)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test