Credential Dumping Tools - File Artifacts

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names. Ref: https://jpcertcc.github.io/ToolAnalysisResultSheet/

Attribute Value
Type Analytic Rule
Solution Attacker Tools Threat Protection Essentials
ID 32ffb19e-8ed8-40ed-87a0-1adb4746b7c4
Severity High
Status Available
Kind Scheduled
Tactics CredentialAccess
Techniques T1003.001
Required Connectors SecurityEvents, WindowsSecurityEvents
Source View on GitHub

Tables Used

This content item queries data from the following tables:

Table Selection Criteria Transformations Ingestion API Lake-Only
Event EventID == "11"
EventLog == "Microsoft-Windows-Sysmon/Operational"		 ?

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Analytic Rules · Back to Attacker Tools Threat Protection Essentials