
Summary
This detection rule identifies the use of QuarksPwDump, a tool used for credential harvesting by creating dump files that contain sensitive information such as password hashes. The detection is triggered by monitoring file events on Windows systems, specifically looking for files named with patterns that indicate a dump file created by QuarksPwDump, typically located in the user's AppData local temporary folder (\AppData\Local\Temp) and having a filename that begins with 'SAM-' and ends with '.dmp'. By capturing these file creation events, organizations can potentially identify unauthorized credential access attempts indicative of malicious activity or post-exploitation behavior. This rule is crucial for protecting against credential theft and should be integrated into endpoint monitoring strategies.
Categories
- Windows
- Endpoint
Data Sources
- File
Created: 2018-02-10