Introduction to Sigma Rules and Detection of Credential Harvesting

Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, to download the report as a PDF.

Recorded Future’s Insikt Group created detections to run with SIEM software and incident response guides for 4 popular credential harvesting tools. Sources included the Recorded Future® Platform, Malpedia, PolySwarm, reverse engineering and open-source intelligence (OSINT) enrichments. The target audience for this research includes security practitioners, network defenders, and threat intelligence professionals who are interested in protecting organizations from credential harvesting tools.

Executive Summary

The use of credential harvesting tools is a common and powerful way for threat actors to gain additional access to your infrastructure. Details of a recent Ryuk incident show a 15-step procedure for victim compromise, 2 of which include the use of the credential harvesting tools Mimikatz and LaZagne. These tools were used to move laterally throughout the victim’s environment and compromise other hosts on the network.

This article details our research regarding Sigma based detection rules for Mimikatz, LaZagne, T-Rat 2.0, and Osno Stealer. Additionally, we provide an initial incident priority level and a high-level response procedure to help security operations teams respond to credential harvesting incidents.

The Sigma rules provided by the open-source Sigma project and the custom rules developed by Recorded Future (available to existing clients only) offer a powerful capability to detect and respond to credential harvesting using existing SIEM solutions. When combined with properly configured host-based logging, using tools such as Sysmon, Sigma rules can elevate the ability of an organization to detect and respond to threats with increased accuracy and efficiency.

Sigma is a standardized rule syntax which can be converted into many different SIEM-supported syntax formats. The Recorded Future Platform allows clients to access and download Sigma rules developed by Insikt Group for use in their organizations.

Key Judgements

• Most credential harvesting tools are high risk since they enable additional tactics, techniques, and procedures (TTPs) such as lateral movement and privilege escalation; commonly, credential harvesting tools are used as a second-stage tool and indicate the host is already compromised.
• Successful detection and response to credential harvesting activity may prevent intrusions from successfully completing their objectives.
• Sigma rules are an effective way to share detections among multiple platforms. Using Recorded Future priority levels and response procedures with Sigma rules provides an easy-to-implement detection and response capability for cybersecurity teams.

Editor’s Note: This post was an excerpt of a full report. To read the entire analysis, to download the report as a PDF.