HackTool - Pypykatz Credentials Dumping Activity

About the rule

Rule Type

Standard

Rule Description

PowerTool Execution - Detects the usage of ""pypykatz"" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through the Windows registry where the SAM database is stored

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Tool deployment → PowerTool execution → SAM access → Credential extraction → Privilege escalation

Impact

• Credential theft
• Privilege escalation
• Lateral movement
• Data exposure

Rule Requirement

Prerequisites

• Using Windows event viewer:

Log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC) by typing gpmc.msc in the Run dialog. Create a new Group Policy Object (GPO) or modify an existing one linked to the appropriate organizational unit (OU). Then, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking to enable Audit Process Creation and Audit Process Termination, selecting Configure the following audit events and checking the Success box for both. For enhanced visibility, go to Administrative Templates > System > Audit Process Creation, enable the policy Include command line in process creation events, and click OK. Finally, ensure the required logging channel is active by creating the registry key "Microsoft-Windows-Security-Auditing/Operational" under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ if it doesn't already exist.

• Using Sysmon:

Download and install Sysmon from Microsoft Sysinternals, then open a Command Prompt with administrator privileges. Create or obtain a Sysmon configuration file that includes process creation monitoring, and install it using the command sysmon.exe -i [configfile.xml]. Ensure the configuration contains a <ProcessCreate> rule to capture all process creation events. Finally, if it doesn't already exist, create the registry key "Microsoft-Windows-Sysmon/Operational" under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ to enable logging.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

• Credential Access: OS Credential Dumping - Security Account Manager (T1003.002)

Security Standards

Enabling this rule will help you meet the security standard's requirements listed below:

• NIST SP 800-53: SI-4 – System Monitoring: Requires continuous monitoring to detect and respond to unauthorized activity.
  Triggering this rule identifies attempts to extract credentials from the SAM database using tools like pypykatz, helping organizations monitor for credential theft and suspicious behavior in real time.
• NIST SP 800-53: AU-6 – Audit Review, Analysis, and Reporting: Ensures that audit records are reviewed and used for identifying anomalies or potential threats.
  Triggering this rule generates critical audit data on credential access attempts, enabling deeper analysis and timely reporting of security incidents.
• NIST SP 800-53: AC-2 – Account Management: Mandates control and monitoring of user accounts and access privileges.
  Triggering this rule helps detect misuse of accounts where attackers attempt to extract credentials, supporting better enforcement of account security policies.
• NIST SP 800-53: IR-5 – Incident Monitoring: Focuses on detecting and documenting security incidents for proper response.
  Triggering this rule assists in identifying and documenting an active or attempted credential theft incident, aiding in incident response and containment efforts.
• NIST SP 800-137: Continuous Monitoring (ISCM): Requires ongoing awareness of threats and effectiveness of security controls.
  Triggering this rule contributes to the organization’s continuous monitoring framework by identifying attempts to exploit registry access for credential extraction.
• NIST SP 800-61: Computer Security Incident Handling Guide: Provides guidance on managing and responding to security incidents.
  Triggering this rule facilitates early detection of malicious credential access, enabling timely investigation, containment, and remediation in line with incident response procedures.

Author

frack113

Future actions

Known False Positives

This rule will be triggered when security teams or red teams run pypykatz during authorized testing or simulations. It may also generate alerts during forensic analysis or training exercises involving credential extraction tools in controlled environments.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Containment: Isolate the affected host immediately to prevent further access to sensitive credential stores and limit lateral movement.
5. Eradication: Remove the pypykatz tool, revoke compromised credentials, and apply registry protection measures to prevent future unauthorized access to the SAM database.

Mitigation