Lateral Credential-Harvest

Last updated on:

About the rule

Rule Type

Advanced

Rule Description

This rule detects a suspicious sequence of lateral movement followed by credential harvesting activity. It correlates remote execution events from SIEM (e.g., PsExec, WMI, PowerShell remoting) with LSASS memory dump attempts from EDR telemetry. This pattern is commonly used by attackers to move laterally across the network and extract credentials for privilege escalation or domain dominance.

Severity

Trouble

Rule Requirement

Criteria

Action1: actionname = "Process started" AND ((PROCESSNAME endswith "wmic.exe,powershell.exe,pwsh.exe,psexec.exe,psexec64.exe" OR ORIGINALFILENAME = "wmic.exe,powershell.exe,pwsh.dll,psexec.c") AND COMMANDLINE contains "/node,Invoke-Command,Enter-PSSession,-nop,hidden,binpath,psexec") Action2: actionname = "Advanced Threat detected" AND COMMANDLINE contains "procdump,rdrleakdiag,taskmgr,comsvcs.dll,werfault,svchost,dump,.dmp" AND ENDPOINT_NAME = Action1.HOSTNAME AND DOMAIN = Action1.DOMAIN AND USERNAME = Action1.USERNAME sequence:Action1 followedby Action2 within 60m select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID,Action2.HOSTNAME,Action2.ENDPOINT_NAME,Action2.TYPE,Action2.STATUS,Action2.FILEPATH,Action2.USERNAME,Action2.PROCESSNAME,Action2.COMMANDLINE,Action2.DOMAIN

Detection

Execution Mode

realtime

Log Sources

Bitdefender