Detecting the presence of SafetyKatz tool

Rule added on 20th February, 2024

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule aims to detect the use of SafetyKatz.exe and BetterSafetyKatz.exe, tools primarily designed for legitimate credential extraction within AD environments.

Data source

Windows: process, user account

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0004 - Privilege Escalation, TA0006 - Credential Access, TA0008 - Lateral Movement

Techniques: T1003 OS Credential Dumping, T1548 - Abuse Elevation Control Mechanism, T1003.001 - LSASS Memory, T1210 - Exploitation of Remote Services

Sub-techniques: T1021.001 - Remote Services: Remote Desktop Protocol

Criteria:

Original file name ends with "BetterSafetyKatz.exe" or "SafetyKatz.exe" ule checks if the filename in the event log ends with "BetterSafetyKatz.exe" OR "SafetyKatz.exe". This "OR" condition means it will trigger if either filename is found.

Process name ends with "BetterSafetyKatz.exe" or "SafetyKatz.exe" If Eventlog Analyzer detects a running process that matches either of these criteria, it will likely trigger an alert when the alert profile is enabled.

When to enable this rule:

Enable this rule when the user wants to detect lateral movement or privilege escalation attempts using legitimate tooling. This rule can be helpful for identifying attackers who are trying to move through a compromised network after gaining initial access, potentially using stolen credentials.

Compliance mapping (NIST, CIS):

Enabling this rule will help you meet the below requirements of regulatory standards and compliance mandates pertaining to detection of malicious software installations.

NIST Cybersecurity Framework (CSF):

Anomalies in System Process Execution (DE.AE-1): Detection of unusual process executions or command-line arguments indicative of SafetyKatz usage, such as attempts to extract or manipulate credentials.

Irregular Access to Credential Stores (DE.CM-1): Identification of unauthorized access attempts or modifications related to credential stores or memory dumps.

Security Log Anomalies (DE.CM-7): Alerting on activities indicating attempts to exploit credential vulnerabilities or elevate privileges.

CIS:

Control 8: Malware Defense: Implement mechanisms to detect and prevent the execution of SafetyKatz and similar tools targeting credential manipulation.

Control 6: Maintenance, Monitoring, and Analysis of Audit Logs: Continuously monitor audit logs for anomalies indicating SafetyKatz usage or suspicious activities targeting credentials.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assigning the incident to an analyst for in-depth examination.
  • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.