HackTool - SafetyKatz Execution

About the rule

Rule Type

Standard

Rule Description

Detects the execution of the hacktool SafetyKatz via PE information and default Image name

Severity

Critical

Rule journey

Attack chain scenario

Initial access → Privilege escalation → SafetyKatz deployment → Credential dumping → Lateral movement → Persistence setup

Impact

• Credential theft
• Privilege escalation
• Identity impersonation
• Network compromise

Rule Requirement

Prerequisites

• Using Windows event viewer:

To enable detailed process tracking, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC) by running gpmc.msc. Create a new Group Policy Object (GPO) or edit an existing one linked to the relevant OU, then navigate to Advanced Audit Policy Configuration under Computer Configuration. Enable Audit Process Creation and Audit Process Termination by configuring them to log successful events. For enhanced visibility, enable the policy to Include command line in process creation events under Administrative Templates > System > Audit Process Creation. Additionally, ensure a registry key named Microsoft-Windows-Security-Auditing/Operational exists under Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ for proper logging.

• Using Sysmon:

Download and install Sysmon from Microsoft Sysinternals, then run Command Prompt as an administrator. Use a configuration file that includes process creation monitoring and install Sysmon using sysmon.exe -i [configfile.xml]. Ensure the configuration captures all process creation events, and create the registry key Microsoft-Windows-Sysmon/Operational under Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ if it doesn't already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

• Credential Access: OS Credential Dumping - LSASS Memory (T1003.001)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

1. NIST SP 800-53 – AU-6: Audit Review, Analysis, and Reporting

Requires the organization to analyze audit logs to detect unauthorized or suspicious activity.
Triggering this rule flags suspicious execution of SafetyKatz, enabling timely audit review and threat detection.

2. NIST SP 800-53 – SI-4: System Monitoring

Calls for active monitoring to identify and respond to security-relevant events.
Triggering this rule helps identify unauthorized use of credential-dumping tools, supporting proactive system monitoring.

3. NIST SP 800-53 – AC-6: Least Privilege

Ensures that users operate with the minimum privileges necessary, reducing misuse of elevated rights.
Triggering this rule can expose misuse of privileged access via tools like SafetyKatz, reinforcing least privilege enforcement.

4. NIST SP 800-53 – IR-5: Incident Monitoring

Requires organizations to track and document security incidents for response and improvement.
Triggering this rule provides clear indicators of credential compromise attempts, aiding in incident documentation and response.

5. NIST SP 800-171 – 3.3.1: Generate audit records

Requires audit logs for security-relevant activities to support investigations.
Triggering this rule ensures execution of sensitive tools like SafetyKatz is logged, aiding in compliance and investigation.

6. NIST CSF – DE.CM-1: Detect Anomalies and Events

Encourages continuous monitoring to detect anomalous behavior that could indicate a threat.
Triggering this rule detects abnormal use of known hacking tools, enabling rapid threat recognition.

Author

Nasreddine Bencherchali (Nextron Systems)

Future actions

Known False Positives

This rule will be triggered if a red team or security analyst runs SafetyKatz during authorized penetration testing. It may also generate false positives if a file with the same name is used for research, training, or malware analysis in controlled environments.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Containment: Immediately isolate the affected endpoint to prevent further credential harvesting or tool execution.
5. Recovery: Revoke and reset potentially compromised credentials and review privileged account activity for signs of misuse.

Mitigation