0332-credential_access_rules.xml

<group name="credential_access,MITRE,">

 <rule id="255103" level="8">
 <if_group>sysmon_event1</if_group>
 <field name="win.eventdata.image">\\findstr.exe</field>
 <regex>cpassword</regex>
 <description>Finding Passwords in SYSVOL & Exploiting Group Policy Preferences : MITRE ATT&CK T1081 - https://adsecurity.org/?p=2288</description>
 <group>MITRE,attack.t1081,</group>
 </rule>

 <rule id="255104" level="10">
 <if_sid>255547</if_sid>
 <regex>HKLM\\System\\CurrentControlSet\\Control\\Lsa\\LMCompatibilityLevel</regex>
 <description>ATT&CK T1075: Edit to registry key potentially downgrading NTLM authentication, potential Internal Monologue attack https://github.com/eladshamir/Internal-Monologue</description>
 <group>MITRE,attack.t1075</group>
 </rule>

 <rule id="255105" level="10">
 <if_sid>255547</if_sid>
 <regex>HKLM\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\RestrictSendingNTLMTraffic</regex>
 <description>ATT&CK T1075: Edit to registry key potentially downgrading NTLM authentication, potential Internal Monologue attack https://github.com/eladshamir/Internal-Monologue</description>
 <group>MITRE,attack.t1075</group>
 </rule>

 <rule id="255106" level="10">
 <if_group>sysmon_event_11</if_group>
 <regex>\\Temp\\debug.bin</regex>
 <description>Detects possible SafetyKatz Behaviour</description>
 <group>MITRE,attack.t1003,sigma</group>
 </rule>

 <rule id="255107" level="12">
 <if_group>sysmon_event_10</if_group>
 <match>lsass.exe</match>
 <regex>dbgcore</regex>
 <description>ATT&CK T1003: dbgcore.DLL potentially used to dump credentials from LSASS</description>
 <group>MITRE,attack.t1003</group>
 </rule>

 <rule id="255108" level="12">
 <if_group>sysmon_event_13</if_group>
 <field name="win.eventdata.targetObject">\\WDigest\\UseLogonCredential</field>
 <description>ATT&CK T1003: Detects possible Mimikatz Activity, registry edit for WDigest plain text credentials</description>
 <group>MITRE,attack.t1003,</group>
 </rule>

 <rule id="255109" level="0">
 <if_sid>255107</if_sid>
 <field name="win.eventdata.image">\\MsMpEng.exe|\\ossec-agent.exe|\\wininit.exe|\\csrss.exe</field>
 <description>Whitelist Interaction with LSASS</description>
 <group>MITRE,attack.t1003,</group>
 </rule>

 <rule id="255110" level="12">
 <if_group>windows_application</if_group>
 <regex>grabber_temp</regex>
 <description>Microsoft Internet Explorer Passwords dumped, TTP indicative of Trickbot infection</description>
 <group>MITRE,attack.t1003</group>
 </rule>

 <rule id="255111" level="12">
 <if_sid>255531</if_sid>
 <match>comsvcs.dll</match>
 <regex>MiniDump|#24</regex>
 <description>Comsvcs.dll potentially used to dump credentials from LSASS</description>
 <group>MITRE,attack.t1003</group>
 </rule>

 <rule id="255112" level="12">
 <if_sid>255524</if_sid>
 <match>comsvcs.dll</match>
 <regex>MiniDump|#24</regex>
 <description>Comsvcs.dll potentially used to dump credentials from LSASS</description>
 <group>MITRE,attack.t1003</group>
 </rule>

 <rule id="255113" level="12">
 <if_sid>255524</if_sid>
 <match>comsvcs.dll</match>
 <regex>MiniDump|#24</regex>
 <description>Comsvcs.dll potentially used to dump credentials from LSASS</description>
 <group>MITRE,attack.t1003</group>
 </rule>

 <rule id="255114" level="12">
 <if_group>sysmon_event1</if_group>
 <match>mimikatz</match>
 <description>Mimikatz potentially used to dump credentials from LSASS</description>
 <group>MITRE,attack.t1003</group>
 </rule>

 <rule id="255115" level="12">
 <if_group>sysmon_event1</if_group>
 <match>procdump</match>
 <regex>lsass</regex>
 <description>Procdump potentially used to dump credentials from LSASS</description>
 <group>MITRE,attack.t1003</group>
 </rule>

 <rule id="255116" level="12">
 <if_group>sysmon_event_10</if_group>
 <match>lsass.exe</match>
 <regex>dbgcore</regex>
 <description>dbgcore.DLL potentially used to dump credentials from LSASS</description>
 <group>MITRE,attack.t1003</group>
 </rule>

</group>