valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
950fa18418
SigmaHQ/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml
Thomas Patzke 373424f145 Rule fixes 
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
2020-02-20 23:00:16 +01:00

66 lines
2.2 KiB
YAML
Raw Blame History

title: Dumping Lsass.exe Memory with MiniDumpWriteDump API
id: dd5ab153-beaa-4315-9647-65abc5f71541
status: experimental
description: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this
API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and
transfer it over the network back to the attacker's machine.
date: 27/10/2019
modified: 2019/11/13
author: Perez Diego (@darkquassar), oscd.community
references:
- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
tags:
- attack.credential_access
- attack.t1003
logsource:
product: windows
service: sysmon
detection:
signedprocess:
EventID: 7
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
Image|endswith:
- '\msbuild.exe'
- '\cmd.exe'
- '\svchost.exe'
- '\rundll32.exe'
- '\powershell.exe'
- '\word.exe'
- '\excel.exe'
- '\powerpnt.exe'
- '\outlook.exe'
- '\monitoringhost.exe'
- '\wmic.exe'
- '\msiexec.exe'
- '\bash.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\schtasks.exe'
- '\dnx.exe'
- '\regsvcs.exe'
- '\sc.exe'
- '\scriptrunner.exe'
unsignedprocess:
EventID: 7
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
Signed: "FALSE"
filter:
Image|contains: 'Visual Studio'
condition: (signedprocess AND NOT filter) OR (unsignedprocess AND NOT filter)
fields:
- ComputerName
- User
- Image
- ImageLoaded
falsepositives:
- Penetration tests
level: critical
Reference in New Issue View Git Blame Copy Permalink