2019-01-16 22:36:31 +00:00
title : Suspicious Use of Procdump
2019-11-12 22:12:27 +00:00
id : 5afee48e-67dd-4e03-a783-f74259dcf998
2019-11-18 14:26:55 +00:00
description : Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.
2019-01-16 22:36:31 +00:00
status : experimental
references :
2019-03-01 23:14:20 +00:00
- Internal Research
2019-01-16 22:36:31 +00:00
author : Florian Roth
date : 2018 /10/30
2019-10-14 14:21:37 +00:00
modified : 2019 /10/14
2019-01-16 22:36:31 +00:00
tags :
2019-03-01 23:14:20 +00:00
- attack.defense_evasion
- attack.t1036
- attack.credential_access
2020-06-16 20:46:08 +00:00
- attack.t1003.001
2020-08-28 14:14:26 +00:00
- attack.t1003 # an old one
- car.2013-05-009
2019-01-16 22:36:31 +00:00
logsource :
2019-03-01 23:14:20 +00:00
category : process_creation
product : windows
2019-01-16 22:36:31 +00:00
detection :
2019-03-01 23:14:20 +00:00
selection1 :
CommandLine :
- '* -ma *'
selection2 :
CommandLine :
2019-10-14 15:26:33 +00:00
- '* lsass*'
2019-10-14 14:21:37 +00:00
selection3 :
CommandLine :
- '* -ma ls*'
condition : ( selection1 and selection2 ) or selection3
2019-01-16 22:36:31 +00:00
falsepositives :
2019-03-01 23:14:20 +00:00
- Unlikely, because no one should dump an lsass process memory
- Another tool that uses the command line switches of Procdump
2020-02-18 09:03:25 +00:00
level : high