proc_creation_win_hktl_pypykatz Scenario

« proc_creation_win_hktl_pypykatz »
v0.2 by sigmahq
Attack scenarioservice:windowsspoofable:0MITRE:t1003confidence:1

Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored

Installation

cscli scenarios install sigmahq/proc_creation_win_hktl_pypykatz

YAML Configuration

1type: trigger
2name: sigmahq/proc_creation_win_hktl_pypykatz
3description: |
4  Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored
5filter: |
6  (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\pypykatz.exe' || evt.Parsed.Image endsWith '\\python.exe') && evt.Parsed.CommandLine contains 'live' && evt.Parsed.CommandLine contains 'registry')
7blackhole: 2m
8#status: test
9labels:
10  service: windows
11  confidence: 1
12  spoofable: 0
13  classification:
14   - attack.t1003.002
15
16  label: "HackTool - Pypykatz Credentials Dumping Activity"
17  behavior : "windows:audit"
18  remediation: false
19
20scope:
21  type: ParentProcessId
22  expression: evt.Parsed.ParentProcessId
23
24

Hub configuration

« proc_creation_win_hktl_pypykatz »v0.2 by sigmahqAttack scenarioservice:windowsspoofable:0MITRE:t1003confidence:1

« proc_creation_win_hktl_pypykatz »
v0.2 by sigmahq
Attack scenarioservice:windowsspoofable:0MITRE:t1003confidence:1