/
sysmon_minidumwritedump_lsass.yml
65 lines (65 loc) · 2.15 KB
/
sysmon_minidumwritedump_lsass.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
title: Dumping Lsass.exe Memory with MiniDumpWriteDump API
id: dd5ab153-beaa-4315-9647-65abc5f71541
status: experimental
description: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this
API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and
transfer it over the network back to the attacker's machine.
date: 2019/10/27
modified: 2019/11/13
author: Perez Diego (@darkquassar), oscd.community
references:
- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
tags:
- attack.credential_access
- attack.t1003
logsource:
product: windows
service: sysmon
detection:
signedprocess:
EventID: 7
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
Image|endswith:
- '\msbuild.exe'
- '\cmd.exe'
- '\svchost.exe'
- '\rundll32.exe'
- '\powershell.exe'
- '\word.exe'
- '\excel.exe'
- '\powerpnt.exe'
- '\outlook.exe'
- '\monitoringhost.exe'
- '\wmic.exe'
- '\msiexec.exe'
- '\bash.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\schtasks.exe'
- '\dnx.exe'
- '\regsvcs.exe'
- '\sc.exe'
- '\scriptrunner.exe'
unsignedprocess:
EventID: 7
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
Signed: "FALSE"
filter:
Image|contains: 'Visual Studio'
condition: (signedprocess AND NOT filter) OR (unsignedprocess AND NOT filter)
fields:
- ComputerName
- User
- Image
- ImageLoaded
falsepositives:
- Penetration tests
level: critical