SigmaHQ/rules/windows/process_creation/win_hktl_createminidump.yml

35 lines
990 B
YAML
Raw Normal View History

2019-12-22 07:29:12 +00:00
action: global
title: CreateMiniDump Hacktool
id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
author: Florian Roth
references:
- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
date: 2019/12/22
tags:
- attack.credential_access
2020-06-17 17:31:40 +00:00
- attack.t1003.001
- attack.t1003 # an old one
2019-12-22 07:29:12 +00:00
falsepositives:
- Unknown
level: high
---
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|contains: '\CreateMiniDump.exe'
selection2:
Imphash: '4a07f944a83e8a7c2525efa35dd30e2f'
condition: 1 of them
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
TargetFilename|contains: '*\lsass.dmp'
2019-12-22 07:29:12 +00:00
condition: 1 of them