Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-08 17:07:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Adding T1003 OS Credential Dumping

Browse Source
This commit is contained in:
keyboardcrunch
2021-03-17 20:05:39 -05:00
parent 58b7368940
commit 2f71277652
1 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
queries/windows/os_credential_dumping.yml
+15
View File
@@ -0,0 +1,15 @@
title: OS Credential Dumping
description: Detects NPPSpy service or credential theft through generic IndicatorName.
author: keyboardcrunch
date: 17/03/2021
modified: null
mitre:
tactic: Credential Access
technique: T1003
subtechnique: null
operating_system: linux
query: RegistryKeyPath ContainsCIS "\Services\NPPSpy" OR IndicatorName In ( "Mimikatz", "CredsReadFromLsass", "LSASSMemoryAccessed", "DumpSAM", "PasswordSniffingViaNetworkProvider" )
false_positives: null
tags: null
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md