Hackers use the Spraykatz tool to harvest credentials when they are conducting lateral movements.
Lateral movement is when a cyber-attacker moves from one system or network to another to remain undetected, gain access to sensitive and high-value data, or gain escalated privileges. To do so, they require tools to access credentials.
Spraykatz is a tool without any pretension able to retrieve credentials on Windows machines and large Active Directory environments. It simply tries to procdump machines and parse dumps remotely in order to avoid detection by antivirus software as much as possible.
Spraykatz works by bypassing the “lsass” process. It creates and runs a process similar to lsass within itself; then by using a similar process, it jumps over lsass.exe, meaning that lsass.exe is not executed when Spraykatz is running.
In this rule, we use Sysmon and writing in sigma format.
title: spraykatz hunting
description: Spraykatz is a tool without any pretention able to retrieve credentials on Windows machines and large Active Directory environments. It simply tries to procdump machines and parse dumps remotely in order to avoid detection by antivirus software as much as possible
author: AmirAli Amiri
— credential steel
– Privilage Escalation
To use this detection rule, you can convert it to your SIEM language.
You can also check out our previous SIGMA detection rule
Learn, Hunt, Earn with Us