HackTool - QuarksPwDump Dump File

Hunt Hypothesis

Adversaries may use QuarksPwDump to extract credentials from memory, leveraging the dump file as part of credential theft. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential credential dumping attacks before they lead to lateral movement or data exfiltration.

Detection Rule

Sigma (Original)

title: HackTool - QuarksPwDump Dump File
id: 847def9e-924d-4e90-b7c4-5f581395a2b4
status: test
description: Detects a dump file written by QuarksPwDump password dumper
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
author: Florian Roth (Nextron Systems)
date: 2018-02-10
modified: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1003.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains|all:
            - '\AppData\Local\Temp\SAM-'
            - '.dmp'
    condition: selection
falsepositives:
    - Unknown
level: critical

KQL (Azure Sentinel)

imFileEvent
| where TargetFileName contains "\\AppData\\Local\\Temp\\SAM-" and TargetFileName contains ".dmp"

False Positive Guidance

• Scenario: A system administrator is using Process Explorer or ProcDump to generate a memory dump for troubleshooting a crashing application.
  Filter/Exclusion: Check for the presence of procexp.exe, procdump.exe, or Process Explorer in the process tree, or filter by known admin tools.

• Scenario: A scheduled job runs a legitimate password reset script that temporarily writes a dump file as part of its operation.
  Filter/Exclusion: Exclude processes associated with the job scheduler (e.g., schtasks.exe, Task Scheduler), or filter by known system or service accounts.

• Scenario: A Windows Update or Group Policy deployment process generates a dump file during a system configuration change.
  Filter/Exclusion: Exclude processes related to wuauclt.exe, gupdate.exe, or Group Policy Client services.

• Scenario: A database administrator uses SQL Server Profiler or SQL Server Management Studio (SSMS) to capture a memory dump for performance analysis.
  Filter/Exclusion: Filter by processes associated with SQL Server (sqlservr.exe, sqlps.exe) or known DBA tools.

• Scenario: A security tool like Wireshark or Microsoft Message Analyzer creates a dump file during packet capture or log analysis.
  Filter/Exclusion: Exclude processes related to wireshark.exe, msgsrv32.exe, or other network analysis tools.

MITRE ATT&CK Context

• Tactic: Credential Access
• Technique: T1003.002