Roberto Rodriguez

No detection capability demonstrated for this procedure. However, with a SACL on %APPDATALOCAL%\Google\chrome\user data\default\, it would generate an event ;)

# 6.A.2 Credential Dumping Procedure: Executed the CryptUnprotectedData API call to decrypt Chrome passwords Criteria: accesschk.exe executing the CryptUnprotectedData API

No detection capability demonstrated for this procedure.

# 6.A.3 Masquerading Procedure: Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool Criteria: Evidence that accesschk.exe is not the legitimate Sysinternals tool

Sysmon ``` SELECT Message FROM apt29Host h INNER JOIN ( SELECT f.ProcessGuid FROM apt29Host f INNER JOIN ( SELECT d.ProcessGuid, d.ParentProcessGuid FROM apt29Host d INNER JOIN ( SELECT a.ProcessGuid, a.ParentProcessGuid...

https://github.com/OTRF/OSSEM-DM/commit/5b9980f1cc94f8d0e7e016659bb3674fe2b08785


> files = spark.sql( > ''' > SELECT Image, TargetFilename > FROM apt29Table > WHERE Channel = "Microsoft-Windows-Sysmon/Operational" > AND EventID = 11 AND TargetFilename LIKE "%.scr%" ''') > files.show(40)...

Correct @emiliedns :) Good one! I didnt remember that one https://github.com/hunters-forge/OSSEM/blob/master/data_dictionaries/windows/sysmon/events/event-15.md

I like this approach @gonzalomarcos ! Thank you for sharing. i wonder how something like that can be written in Sigma. @thomaspatzke is that something that can be done with...