mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 17:58:52 +00:00
35 lines
976 B
YAML
35 lines
976 B
YAML
action: global
|
|
title: CreateMiniDump Hacktool
|
|
id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
|
|
description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
|
|
author: Florian Roth
|
|
references:
|
|
- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
|
|
date: 2019/12/22
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1003
|
|
- attack.t1003.001
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|
|
---
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection1:
|
|
Image|contains: '\CreateMiniDump.exe'
|
|
selection2:
|
|
Imphash: '4a07f944a83e8a7c2525efa35dd30e2f'
|
|
condition: 1 of them
|
|
---
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
detection:
|
|
selection:
|
|
EventID: 11
|
|
TargetFilename|contains: '*\lsass.dmp'
|
|
condition: 1 of them
|