Adversaries may be dropping credential dump tools to exfiltrate sensitive account credentials from compromised systems. SOC teams should proactively hunt for these files in Azure Sentinel to detect potential credential theft and limit lateral movement within the network.
Detection Rule
title: Cred Dump Tools Dropped Files
id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
status: test
description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2025-10-25
tags:
- attack.credential-access
- attack.t1003.001
- attack.t1003.002
- attack.t1003.003
- attack.t1003.004
- attack.t1003.005
logsource:
category: file_event
product: windows
detection:
selection:
- TargetFilename|contains:
- '\fgdump-log'
- '\kirbi'
- '\pwdump'
- '\pwhashes'
- '\wce_ccache'
- '\wce_krbtkts'
- TargetFilename|endswith:
- '\cachedump.exe'
- '\cachedump64.exe'
- '\DumpExt.dll'
- '\DumpSvc.exe'
- '\Dumpy.exe'
- '\fgexec.exe'
- '\lsremora.dll'
- '\lsremora64.dll'
- '\NTDS.out'
- '\procdump.exe'
- '\procdump64.exe'
- '\procdump64a.exe'
- '\pstgdump.exe'
- '\pwdump.exe'
- '\SAM.out'
- '\SECURITY.out'
- '\servpw.exe'
- '\servpw64.exe'
- '\SYSTEM.out'
- '\test.pwd'
- '\wceaux.dll'
condition: selection
falsepositives:
- Legitimate Administrator using tool for password recovery
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml
imFileEvent
| where (TargetFileName contains "\\fgdump-log" or TargetFileName contains "\\kirbi" or TargetFileName contains "\\pwdump" or TargetFileName contains "\\pwhashes" or TargetFileName contains "\\wce_ccache" or TargetFileName contains "\\wce_krbtkts") or (TargetFileName endswith "\\cachedump.exe" or TargetFileName endswith "\\cachedump64.exe" or TargetFileName endswith "\\DumpExt.dll" or TargetFileName endswith "\\DumpSvc.exe" or TargetFileName endswith "\\Dumpy.exe" or TargetFileName endswith "\\fgexec.exe" or TargetFileName endswith "\\lsremora.dll" or TargetFileName endswith "\\lsremora64.dll" or TargetFileName endswith "\\NTDS.out" or TargetFileName endswith "\\procdump.exe" or TargetFileName endswith "\\procdump64.exe" or TargetFileName endswith "\\procdump64a.exe" or TargetFileName endswith "\\pstgdump.exe" or TargetFileName endswith "\\pwdump.exe" or TargetFileName endswith "\\SAM.out" or TargetFileName endswith "\\SECURITY.out" or TargetFileName endswith "\\servpw.exe" or TargetFileName endswith "\\servpw64.exe" or TargetFileName endswith "\\SYSTEM.out" or TargetFileName endswith "\\test.pwd" or TargetFileName endswith "\\wceaux.dll")Scenario: A system administrator is performing a scheduled credential dump for security auditing purposes using Mimikatz.
Filter/Exclusion: Check for the presence of a known admin task or scheduled job with a descriptive name (e.g., Audit_Credentials_Scheduled), or filter by user (e.g., admin, securityaudit).
Scenario: A security tool like PowerSploit is being used in a red team exercise to simulate credential dumping.
Filter/Exclusion: Include a filter for the source IP or user context associated with red team activities, or check for presence of a known red team tool in the process tree.
Scenario: A legitimate system update or patching process creates a temporary file with a name similar to a credential dump tool (e.g., mimikatz.exe as part of a deployment script).
Filter/Exclusion: Filter by file path (e.g., C:\Windows\Temp\mimikatz.exe), or check for file creation time within a known update window.
Scenario: A backup or log management tool (e.g., LogParser or PowerShell scripts) generates a file with a name resembling a credential dump tool during routine operations.
Filter/Exclusion: Filter by file path (e.g., C:\Program Files\LogParser\), or check for presence of a known log management tool in the process tree.
Scenario: A user is manually running a credential dump tool (e.g., Kerberos Dump) as part of a legitimate security assessment.
Filter/Exclusion: Filter by user context (e.g., securityteam, pentester), or check for presence of a known security assessment tool in the process tree.