Detection rules › Kusto
Credential Dumping Tools - Service Installation
This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003.001 OS Credential Dumping: LSASS Memory |
Event coverage
| Provider | Event |
|---|---|
| Service-Control-Manager | Event ID 7045 |
Rule body kusto
id: 4ebbb5c2-8802-11ec-a8a3-0242ac120002
name: Credential Dumping Tools - Service Installation
description: |
'This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.'
severity: High
status: Available
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- Event
- connectorId: WindowsSecurityEvents
dataTypes:
- Event
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1003.001
query: |
// Enter a reference list of decoy users (usernames) "Case Sensitive"
let MaliciousServiceArtifacts = dynamic (["fgexec","cachedump","mimikatz","mimidrv","wceservice","pwdump"]);
Event
| where Source == "Service Control Manager" and EventID == 7045
| parse EventData with * 'ServiceName">' ServiceName "<" * 'ImagePath">' ImagePath "<" *
| where ServiceName has_any (MaliciousServiceArtifacts) or ImagePath has_any (MaliciousServiceArtifacts)
| parse EventData with * 'AccountName">' AccountName "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName
| extend HostName = split(Computer, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- entityType: File
fieldMappings:
- identifier: Name
columnName: ImagePath
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: DnsDomain
version: 1.0.3
kind: Scheduled
Stages and Predicates
Parameters
let MaliciousServiceArtifacts = dynamic (["fgexec","cachedump","mimikatz","mimidrv","wceservice","pwdump"]);
Stage 1: source
Event
Stage 2: where
| where Source == "Service Control Manager" and EventID == 7045
Stage 3: parse
| parse EventData with * 'ServiceName">' ServiceName "<" * 'ImagePath">' ImagePath "<" *
Stage 4: where
| where ServiceName has_any (MaliciousServiceArtifacts) or ImagePath has_any (MaliciousServiceArtifacts)
Stage 5: parse
| parse EventData with * 'AccountName">' AccountName "<" *
Stage 6: summarize
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName
Stage 7: extend
| extend HostName = split(Computer, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventID | eq |
|
ImagePath | match |
|
ServiceName | match |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
AccountName | summarize |
Computer | summarize |
EndTime | summarize |
EventID | summarize |
ImagePath | summarize |
ServiceName | summarize |
StartTime | summarize |
DnsDomain | extend |
HostName | extend |