Lateral Credential-Harvest
Last updated on:
In this page
About the rule
Rule Type
Advanced
Rule Description
This rule detects a suspicious sequence of lateral movement followed by credential harvesting activity. It correlates remote execution events from SIEM (e.g., PsExec, WMI, PowerShell remoting) with LSASS memory dump attempts from EDR telemetry. This pattern is commonly used by attackers to move laterally across the network and extract credentials for privilege escalation or domain dominance.
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "Process started" AND ((PROCESSNAME endswith "wmic.exe,powershell.exe,pwsh.exe,psexec.exe,psexec64.exe" OR ORIGINALFILENAME = "wmic.exe,powershell.exe,pwsh.dll,psexec.c") AND COMMANDLINE contains "/node,Invoke-Command,Enter-PSSession,-nop,hidden,binpath,psexec")
Action2:
actionname = "Advanced Threat detected" AND COMMANDLINE contains "procdump,rdrleakdiag,taskmgr,comsvcs.dll,werfault,svchost,dump,.dmp" AND ENDPOINT_NAME = Action1.HOSTNAME AND DOMAIN = Action1.DOMAIN AND USERNAME = Action1.USERNAME
sequence:Action1 followedby Action2 within 60m
select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID,Action2.HOSTNAME,Action2.ENDPOINT_NAME,Action2.TYPE,Action2.STATUS,Action2.FILEPATH,Action2.USERNAME,Action2.PROCESSNAME,Action2.COMMANDLINE,Action2.DOMAIN
Detection
Execution Mode
realtime
Log Sources
Bitdefender


