From 2f7127765253a18fd48dc2dce4c7ff3bc75ea7fc Mon Sep 17 00:00:00 2001
From: keyboardcrunch <REDACTED>
Date: Wed, 17 Mar 2021 20:05:39 -0500
Subject: [PATCH] Adding T1003 OS Credential Dumping

---
 queries/windows/os_credential_dumping.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 queries/windows/os_credential_dumping.yml

diff --git a/queries/windows/os_credential_dumping.yml b/queries/windows/os_credential_dumping.yml
new file mode 100644
index 0000000..dc41220
--- /dev/null
+++ b/queries/windows/os_credential_dumping.yml
@@ -0,0 +1,15 @@
+title: OS Credential Dumping
+description: Detects NPPSpy service or credential theft through generic IndicatorName.
+author: keyboardcrunch
+date: 17/03/2021
+modified: null
+mitre: 
+   tactic: Credential Access
+   technique: T1003
+   subtechnique: null
+operating_system: linux
+query: RegistryKeyPath ContainsCIS "\Services\NPPSpy" OR IndicatorName In ( "Mimikatz", "CredsReadFromLsass", "LSASSMemoryAccessed", "DumpSAM", "PasswordSniffingViaNetworkProvider" )
+false_positives: null
+tags: null
+references:
+   - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md
\ No newline at end of file