mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 02:08:54 +00:00
701e7f7cc6
- new rules: + rules/windows/builtin/win_susp_lsass_dump_generic.yml + rules/windows/builtin/win_transferring_files_with_credential_data_via_ne twork_shares.yml + rules/windows/builtin/win_remote_registry_management_using_reg_utility.y ml + rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml + rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml + rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml + rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml + rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml + rules/windows/process_creation/process_creation_shadow_copies_creation.y ml + rules/windows/process_creation/process_creation_shadow_copies_deletion.y ml + rules/windows/process_creation/process_creation_copying_sensitive_files_ with_credential_data.yml + rules/windows/process_creation/process_creation_shadow_copies_access_sym link.yml + rules/windows/process_creation/process_creation_grabbing_sensitive_hives _via_reg.yml + rules/windows/process_creation/process_creation_mimikatz_command_line.ym l + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml .yml - updated rules: + rules/windows/builtin/win_susp_raccess_sensitive_fext.yml + rules/windows/builtin/win_mal_creddumper.yml + rules/windows/builtin/win_mal_service_installs.yml + rules/windows/process_creation/win_susp_process_creations.yml + rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml + rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - deprecated rules: + rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml
50 lines
1.6 KiB
YAML
50 lines
1.6 KiB
YAML
title: Generic Password Dumper Activity on LSASS
|
|
description: Detects process handle on LSASS process with certain access mask
|
|
status: experimental
|
|
author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, oscd.community (update)
|
|
date: 2019/11/01
|
|
references:
|
|
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
|
|
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1003
|
|
- car.2019-04-004
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
detection:
|
|
selection_1:
|
|
EventID: 4656
|
|
ObjectName: '*\lsass.exe'
|
|
AccessMask|contains:
|
|
- '0x40'
|
|
- '0x1400'
|
|
- '0x1000'
|
|
- '0x100000'
|
|
- '0x1410' # car.2019-04-004
|
|
- '0x1010' # car.2019-04-004
|
|
- '0x1438' # car.2019-04-004
|
|
- '0x143a' # car.2019-04-004
|
|
- '0x1418' # car.2019-04-004
|
|
selection_2:
|
|
EventID: 4663
|
|
ObjectName: '*\lsass.exe'
|
|
AccessList|contains:
|
|
- '4484'
|
|
- '4416'
|
|
filter:
|
|
ProcessName:
|
|
- '*\wmiprvse.exe'
|
|
- '*\taskmgr.exe'
|
|
- '*\procexp64.exe'
|
|
- '*\procexp.exe'
|
|
- '*\lsm.exe'
|
|
- '*\csrss.exe'
|
|
- '*\wininit.exe'
|
|
- '*\vmtoolsd.exe'
|
|
condition: selection_1 or selection_2 and not filter
|
|
falsepositives:
|
|
- Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it
|
|
level: high
|