mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 10:13:57 +00:00
38 lines
1.3 KiB
YAML
38 lines
1.3 KiB
YAML
title: LSASS Memory Dumping
|
|
id: ffa6861c-4461-4f59-8a41-578c39f3f23e
|
|
description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
|
|
status: experimental
|
|
author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
|
|
date: 2019/10/24
|
|
modified: 2019/11/11
|
|
references:
|
|
- https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html
|
|
- https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1003
|
|
- attack.t1003.001
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection1:
|
|
CommandLine|contains|all:
|
|
- 'lsass'
|
|
- '.dmp'
|
|
selection2:
|
|
Image|endswith: '\werfault.exe'
|
|
selection3:
|
|
Image|contains: '\procdump'
|
|
Image|endswith: '.exe'
|
|
CommandLine|contains: 'lsass'
|
|
condition: selection1 and not selection2 or selection3
|
|
fields:
|
|
- ComputerName
|
|
- User
|
|
- CommandLine
|
|
falsepositives:
|
|
- Unlikely
|
|
level: high
|