Credential Dumping Tools - Service Installation

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.

Attribute	Value
Type	Analytic Rule
Solution	Attacker Tools Threat Protection Essentials
ID	`4ebbb5c2-8802-11ec-a8a3-0242ac120002`
Severity	High
Status	Available
Kind	Scheduled
Tactics	CredentialAccess
Techniques	T1003.001
Required Connectors	SecurityEvents, WindowsSecurityEvents
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
`Event`	`EventID == "7045"` `Source == "Service Control Manager"`	✓	✓	?

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules · Back to Attacker Tools Threat Protection Essentials