Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Credential Dumping Tools - File Artifacts

Back
Id32ffb19e-8ed8-40ed-87a0-1adb4746b7c4
RulenameCredential Dumping Tools - File Artifacts
DescriptionThis query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names.

Ref: https://jpcertcc.github.io/ToolAnalysisResultSheet/
SeverityHigh
TacticsCredentialAccess
TechniquesT1003.001
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker Tools Threat Protection Essentials/Analytic Rules/CredentialDumpingToolsFileArtifacts.yaml
Version1.0.3
Arm template32ffb19e-8ed8-40ed-87a0-1adb4746b7c4.json
Deploy To Azure
// Enter a reference list of malicious file artifacts
let MaliciousFileArtifacts = dynamic (["lsass.dmp","test.pwd","lsremora.dll","lsremora64.dll","fgexec.exe","pwdump","kirbi","wce_ccache","wce_krbtkts","wceaux.dll","PwHashes","SAM.out","SECURITY.out","SYSTEM.out","NTDS.out" "DumpExt.dll","DumpSvc.exe","cachedump64.exe","cachedump.exe","pstgdump.exe","servpw64.exe","servpw.exe","pwdump.exe","fgdump-log"]);
Event
| where EventLog == "Microsoft-Windows-Sysmon/Operational" and EventID==11
| parse EventData with * 'TargetFilename">' TargetFilename "<" *
| where TargetFilename has_any (MaliciousFileArtifacts)
| parse EventData with * 'ProcessGuid">' ProcessGuid "<" * 'Image">' Image "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename
| extend HostName = split(Computer, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')
name: Credential Dumping Tools - File Artifacts
version: 1.0.3
severity: High
queryFrequency: 1h
triggerOperator: gt
relevantTechniques:
- T1003.001
status: Available
description: |
  'This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names.
  Ref: https://jpcertcc.github.io/ToolAnalysisResultSheet/'  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker Tools Threat Protection Essentials/Analytic Rules/CredentialDumpingToolsFileArtifacts.yaml
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - Event
- connectorId: WindowsSecurityEvents
  dataTypes:
  - Event
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: TargetFilename
  entityType: File
- fieldMappings:
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
  entityType: Host
- fieldMappings:
  - identifier: CommandLine
    columnName: Image
  entityType: Process
tactics:
- CredentialAccess
queryPeriod: 1h
query: |
  // Enter a reference list of malicious file artifacts
  let MaliciousFileArtifacts = dynamic (["lsass.dmp","test.pwd","lsremora.dll","lsremora64.dll","fgexec.exe","pwdump","kirbi","wce_ccache","wce_krbtkts","wceaux.dll","PwHashes","SAM.out","SECURITY.out","SYSTEM.out","NTDS.out" "DumpExt.dll","DumpSvc.exe","cachedump64.exe","cachedump.exe","pstgdump.exe","servpw64.exe","servpw.exe","pwdump.exe","fgdump-log"]);
  Event
  | where EventLog == "Microsoft-Windows-Sysmon/Operational" and EventID==11
  | parse EventData with * 'TargetFilename">' TargetFilename "<" *
  | where TargetFilename has_any (MaliciousFileArtifacts)
  | parse EventData with * 'ProcessGuid">' ProcessGuid "<" * 'Image">' Image "<" *
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename
  | extend HostName = split(Computer, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')  
kind: Scheduled
triggerThreshold: 0
id: 32ffb19e-8ed8-40ed-87a0-1adb4746b7c4
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/32ffb19e-8ed8-40ed-87a0-1adb4746b7c4')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/32ffb19e-8ed8-40ed-87a0-1adb4746b7c4')]",
      "properties": {
        "alertRuleTemplateName": "32ffb19e-8ed8-40ed-87a0-1adb4746b7c4",
        "customDetails": null,
        "description": "'This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names.\nRef: https://jpcertcc.github.io/ToolAnalysisResultSheet/'\n",
        "displayName": "Credential Dumping Tools - File Artifacts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "TargetFilename",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "Image",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker Tools Threat Protection Essentials/Analytic Rules/CredentialDumpingToolsFileArtifacts.yaml",
        "query": "// Enter a reference list of malicious file artifacts\nlet MaliciousFileArtifacts = dynamic ([\"lsass.dmp\",\"test.pwd\",\"lsremora.dll\",\"lsremora64.dll\",\"fgexec.exe\",\"pwdump\",\"kirbi\",\"wce_ccache\",\"wce_krbtkts\",\"wceaux.dll\",\"PwHashes\",\"SAM.out\",\"SECURITY.out\",\"SYSTEM.out\",\"NTDS.out\" \"DumpExt.dll\",\"DumpSvc.exe\",\"cachedump64.exe\",\"cachedump.exe\",\"pstgdump.exe\",\"servpw64.exe\",\"servpw.exe\",\"pwdump.exe\",\"fgdump-log\"]);\nEvent\n| where EventLog == \"Microsoft-Windows-Sysmon/Operational\" and EventID==11\n| parse EventData with * 'TargetFilename\">' TargetFilename \"<\" *\n| where TargetFilename has_any (MaliciousFileArtifacts)\n| parse EventData with * 'ProcessGuid\">' ProcessGuid \"<\" * 'Image\">' Image \"<\" *\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename\n| extend HostName = split(Computer, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1003.001"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1003"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}