2019-04-03 11:51:59 +00:00
|
|
|
title: LSASS Memory Dump
|
2019-11-12 22:12:27 +00:00
|
|
|
id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
|
2019-04-03 11:51:59 +00:00
|
|
|
status: experimental
|
2019-04-03 12:06:49 +00:00
|
|
|
description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10
|
2019-04-03 11:51:59 +00:00
|
|
|
author: Samir Bousseaden
|
2020-01-30 15:07:37 +00:00
|
|
|
date: 2019/04/03
|
2019-04-03 11:51:59 +00:00
|
|
|
references:
|
|
|
|
|
- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
|
|
|
|
|
tags:
|
|
|
|
|
- attack.t1003
|
|
|
|
|
- attack.s0002
|
|
|
|
|
- attack.credential_access
|
|
|
|
|
logsource:
|
|
|
|
|
product: windows
|
|
|
|
|
service: sysmon
|
|
|
|
|
detection:
|
|
|
|
|
selection:
|
|
|
|
|
EventID: 10
|
|
|
|
|
TargetImage: 'C:\windows\system32\lsass.exe'
|
|
|
|
|
GrantedAccess: '0x1fffff'
|
2019-04-03 12:06:49 +00:00
|
|
|
CallTrace:
|
|
|
|
|
- '*dbghelp.dll*'
|
|
|
|
|
- '*dbgcore.dll*'
|
2019-04-03 11:51:59 +00:00
|
|
|
condition: selection
|
|
|
|
|
falsepositives:
|
|
|
|
|
- unknown
|
|
|
|
|
level: high
|
