Find sigma rule
Attack: Valid Accounts: Local Accounts
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
Local Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.
MITRE
Tactic
- defense-evasion
- persistence
- privilege-escalation
- initial-access
technique
- T1078.003
Test : WinPwn - Loot local Credentials - Safetykatz
OS
- windows
Description:
Loot local Credentials - Safetykatz technique via function of WinPwn
Executor
powershell
Sigma Rule
-
proc_creation_win_powershell_download_iex.yml (id: 85b0b087-eddf-4a2b-b033-d771fa2b9775)
-
proc_creation_win_powershell_susp_download_patterns.yml (id: e6c54d94-498c-4562-a37c-b469d8e9a275)
-
proc_creation_win_powershell_download_cradles.yml (id: 6e897651-f157-4d8f-aaeb-df8151488385)
-
proc_creation_win_susp_web_request_cmd_and_cmdlets.yml (id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d)
-
proc_creation_win_powershell_download_patterns.yml (id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7)
-
posh_ps_susp_invocation_specific.yml (id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71)
-
posh_ps_web_request_cmd_and_cmdlets.yml (id: 1139d2e2-84b1-4226-b445-354492eba8ba)
-
posh_pm_susp_invocation_specific.yml (id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090)
-
posh_ps_susp_download.yml (id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb)
-
posh_ps_detect_vm_env.yml (id: d93129cd-1ee0-479f-bc03-ca6f129882e3)
-
posh_ps_susp_get_current_user.yml (id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a)
-
posh_ps_win_api_susp_access.yml (id: 03d83090-8cba-44a0-b02f-0b756a050306)
-
posh_ps_malicious_commandlets.yml (id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6)
-
posh_ps_susp_get_process.yml (id: af4c87ce-bdda-4215-b998-15220772e993)
-
posh_ps_malicious_keywords.yml (id: f62176f3-8128-4faa-bf6c-83261322e5eb)
-
posh_ps_susp_keywords.yml (id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf)
-
posh_ps_susp_getprocess_lsass.yml (id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb)
-
file_event_win_powershell_exploit_scripts.yml (id: f331aa1f-8c53-4fc3-b083-cc159bc971cb)
-
posh_ps_nishang_malicious_commandlets.yml (id: f772cee9-b7c2-4cb2-8f07-49870adc02e0)
-
posh_ps_localuser.yml (id: 4fdc44df-bfe9-4fcc-b041-68f5a2d3031c)
-
posh_ps_automated_collection.yml (id: c1dda054-d638-4c16-afc8-53e007f3fbc5)
-
posh_ps_susp_local_group_reco.yml (id: fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb)
-
posh_ps_software_discovery.yml (id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282)
-
posh_ps_susp_extracting.yml (id: bd5971a7-626d-46ab-8176-ed643f694f68)
-
posh_ps_dump_password_windows_credential_manager.yml (id: 99c49d9c-34ea-45f7-84a7-4751ae6b2cbc)
-
posh_ps_powerview_malicious_commandlets.yml (id: dcd74b95-3f36-4ed9-9598-0490951643aa)
-
posh_ps_timestomp.yml (id: c6438007-e081-42ce-9483-b067fbef33c3)
-
file_event_win_csharp_compile_artefact.yml (id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0)
-
proc_creation_win_csc_susp_dynamic_compilation.yml (id: dcaa3f04-70c3-427a-80b4-b870d73c94c4)
-
net_connection_win_susp_file_sharing_domains_susp_folders.yml (id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97)
-
net_connection_win_powershell_network_connection.yml (id: 1f21ec3f-810d-4b0e-8045-322202e22b4b)
-
proc_access_win_susp_shellcode_injection.yml (id: 250ae82f-736e-4844-a68b-0b5e8cc887da)
-
posh_pm_bad_opsec_artifacts.yml (id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86)
-
posh_pm_susp_local_group_reco.yml (id: cef24b90-dddc-4ae1-a09a-8764872f69fc)