And from a Snort angle. Original post: http://lists.bleedingsnort.com/pipermail/bleeding-sigs/2005-February.txt
<snip> Url : http://lists.bleedingsnort.com/pipermail/bleeding-sigs/attachments/20050208/100554f8/attachment.bin >From mjonkman at infotex.com Tue Feb 8 15:43:12 2005 From: mjonkman at infotex.com (Matt Jonkman) Date: Tue Feb 8 15:44:56 2005 Subject: [Bleeding-sigs] PWDUMP3E Rule Change Message-ID: <[EMAIL PROTECTED]> This rule is being altered as per this forum conversation below: alert tcp $HOME_NET 445 -> any any (msg:"BLEEDING-EDGE Pwdump3e Password Hash Retrieval port 445"; content:"\:|00|5|00|0|00|0\:"; flow:from_server,established; classtype:misc-attack; sid:2000563; rev:6;) alert tcp $HOME_NET 139 -> any any (msg:"BLEEDING-EDGE Pwdump3e Password Hash Retrieval port 139"; content:"\:|00|5|00|0|00|0\:"; flow:from_server,established; classtype:misc-attack; sid:2000568; rev:5;) The trailing :'s are new. </snip> Obviously it gets more complicated with different versions, including 'custom' and unreleased to the public versions. Then there's defining what you're looking for, the tool in activity, if it's getting uploaded or downloaded, etc. ...and crypto. Thanks, --scm On 4/13/06, M. Burnett <[EMAIL PROTECTED]> wrote: > There are a number of ways that you can detect pwdump when it is run either > locally or remotely, especially if you have some way to correlate multiple > event log events. > > If you audit object access, privilege use, and process tracking in the event > logs you will see access to lsass.exe and pwdump.exe (or pwservice.exe > remotely). You will also see use of SeDebugPrivilege. A number of these > events in a row will alert you to someone using pwdump with very high > certainty. > > I also noticed that Windows Defender creates an event in the System event > log when pwdump runs. > > > Mark Burnett > > > > > -----Original Message----- > From: Simon Taplin [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 13, 2006 9:03 AM > To: Focus-Ms > Subject: Detecting PwDump > > Is there anyway to detect if someone is using pwdump3/6 using the network > feature to dump passwords from a Windows 2000/2003 Server? > > Simon > > > > --------------------------------------------------------------------------- > --------------------------------------------------------------------------- > > > --------------------------------------------------------------------------- > --------------------------------------------------------------------------- > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
