rules/windows/process_creation/win_susp_procdump.yml

title: Suspicious Use of Procdump
id: 5afee48e-67dd-4e03-a783-f74259dcf998
description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.
status: experimental
references:
    - Internal Research
author: Florian Roth
date: 2018/10/30
modified: 2019/10/14
tags:
    - attack.defense_evasion
    - attack.t1036
    - attack.credential_access
    - attack.t1003
    - car.2013-05-009
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine:
            - '* -ma *'
    selection2:
        CommandLine:
            - '* lsass*'
    selection3:
        CommandLine:
            - '* -ma ls*'
    condition: ( selection1 and selection2 ) or selection3
falsepositives:
    - Unlikely, because no one should dump an lsass process memory
    - Another tool that uses the command line switches of Procdump
level: medium
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`title: Suspicious Use of Procdump`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 5afee48e-67dd-4e03-a783-f74259dcf998`
fix: line break in description 2019-11-18 15:26:55 +01:00			`description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`status: experimental`
			`references:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`- Internal Research`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`author: Florian Roth`
			`date: 2018/10/30`
rule: extended suspicious procdump rule 2019-10-14 16:21:37 +02:00			`modified: 2019/10/14`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`tags:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`- attack.defense_evasion`
			`- attack.t1036`
			`- attack.credential_access`
			`- attack.t1003`
First Pass 2019-06-13 23:15:38 -05:00			`- car.2013-05-009`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`logsource:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`detection:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`selection1:`
			`CommandLine:`
			`- '* -ma *'`
			`selection2:`
			`CommandLine:`
remove .exe from lsass 2019-10-14 17:26:33 +02:00			`- '* lsass*'`
rule: extended suspicious procdump rule 2019-10-14 16:21:37 +02:00			`selection3:`
			`CommandLine:`
			`- '* -ma ls*'`
			`condition: ( selection1 and selection2 ) or selection3`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`falsepositives:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`- Unlikely, because no one should dump an lsass process memory`
			`- Another tool that uses the command line switches of Procdump`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`level: medium`