From 511229c0b69af5a3a6ce3b4ac2471a4e64a17875 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 21 Dec 2019 21:22:13 +0100 Subject: [PATCH 1/2] rule: modified Bloodhound rule --- rules/windows/process_creation/win_hack_bloodhound.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_hack_bloodhound.yml b/rules/windows/process_creation/win_hack_bloodhound.yml index 743cc2a0..ad873d21 100644 --- a/rules/windows/process_creation/win_hack_bloodhound.yml +++ b/rules/windows/process_creation/win_hack_bloodhound.yml @@ -1,10 +1,12 @@ -title: Bloodhound Hack Tool +title: Bloodhound and Sharphound Hack Tool id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962 -description: Detects command line parameters used by Bloodhound hack tool +description: Detects command line parameters used by Bloodhound and Sharphound hack tools author: Florian Roth references: - https://github.com/BloodHoundAD/BloodHound + - https://github.com/BloodHoundAD/SharpHound date: 2019/12/20 +modified: 2019/12/21 tags: - attack.discovery - attack.t1087 @@ -26,6 +28,10 @@ detection: CommandLine|contains|all: - ' -JsonFolder ' - ' -ZipFileName ' + selection4: + CommandLine|contains|all: + - ' DCOnly ' + - ' --NoSaveCache ' condition: 1 of them falsepositives: - Other programs that use these command line option and accepts an 'All' parameter From fb76f2b9acb8accb0420baa7206b5243ce1434e7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 22 Dec 2019 08:29:12 +0100 Subject: [PATCH 2/2] rule: CreateMiniDump --- .../win_hktl_createminidump.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/process_creation/win_hktl_createminidump.yml diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml new file mode 100644 index 00000000..a0e556d8 --- /dev/null +++ b/rules/windows/process_creation/win_hktl_createminidump.yml @@ -0,0 +1,33 @@ +action: global +title: CreateMiniDump Hacktool +id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d +description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine +author: Florian Roth +references: + - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass +date: 2019/12/22 +tags: + - attack.credential_access + - attack.t1003 +falsepositives: + - Unknown +level: high +--- +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|contains: '\CreateMiniDump.exe' + selection2: + Imphash: '4a07f944a83e8a7c2525efa35dd30e2f' + condition: 1 of them +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 11 + TargetFileName|contains: '*\lsass.dmp' + condition: 1 of them