valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #570 from Neo23x0/devel

Browse Source 
CreateMiniDump
This commit is contained in:
Florian Roth 2019-12-22 08:40:45 +01:00 committed by GitHub
commit a7ca386a1b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 41 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
rules/windows/process_creation/win_hack_bloodhound.yml
View File

@ -1,10 +1,12 @@
title: Bloodhound Hack Tool
title: Bloodhound and Sharphound Hack Tool
id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
description: Detects command line parameters used by Bloodhound hack tool
description: Detects command line parameters used by Bloodhound and Sharphound hack tools
author: Florian Roth
references:
- https://github.com/BloodHoundAD/BloodHound
- https://github.com/BloodHoundAD/SharpHound
date: 2019/12/20
modified: 2019/12/21
tags:
- attack.discovery
- attack.t1087
@ -26,6 +28,10 @@ detection:
CommandLine|contains|all:
- ' -JsonFolder '
- ' -ZipFileName '
selection4:
CommandLine|contains|all:
- ' DCOnly '
- ' --NoSaveCache '
condition: 1 of them
falsepositives:
- Other programs that use these command line option and accepts an 'All' parameter

33
rules/windows/process_creation/win_hktl_createminidump.yml Normal file
View File

@ -0,0 +1,33 @@
action: global
title: CreateMiniDump Hacktool
id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
author: Florian Roth
references:
- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
date: 2019/12/22
tags:
- attack.credential_access
- attack.t1003
falsepositives:
- Unknown
level: high
---
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|contains: '\CreateMiniDump.exe'
selection2:
Imphash: '4a07f944a83e8a7c2525efa35dd30e2f'
condition: 1 of them
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
TargetFileName|contains: '*\lsass.dmp'
condition: 1 of them