Antivirus vendors provide detection for endpoint threats, and routinely also generate log messages on the occurrence of these detections. The detection findings from a range of AV vendors can be presented via Windows event logs (Kaspersky, McAfee, Sophos, Symantec, Trend Micro, Windows Defender, and Microsoft Antimalware) via ingestion of these messages. Detection of known used hack tools such as pwdump, wincred, and Mimikatz in particular are expected to be highly correlated with a malicious post compromise activity.
- An attacker compromises a Windows server.
- The attacker downloads hacking tools via common techniques.
The attacker has system level privileges to perform password dumping.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
Detection of this threat is provided via the Alert Logic ActiveWatch for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.
Recommendations for Mitigation
The attacker must have exploited some other entry vector to allow the malicious files to become resident on the victim machine.