From d485fa9b93be3fa1c033a36001ac138e77cb0239 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 26 Nov 2021 14:03:10 -0600 Subject: [PATCH 1/6] Create process_creation_win_lolbas_dump64.yml --- .../process_creation_win_lolbas_dump64.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_win_lolbas_dump64.yml diff --git a/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml b/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml new file mode 100644 index 000000000..ecaa3308d --- /dev/null +++ b/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml @@ -0,0 +1,24 @@ +title: Suspicious Memory Dump Execution +id: 129966c9-de17-4334-a123-8b58172e664d +description: Detects when a user bypasses Defender and dumps LSASS by renaming procdump.exe to dump64.exe +status: experimental +author: Austin Songer @austinsonger +date: 2021/11//26 +references: + - https://twitter.com/mrd0x/status/1460597833917251595 +logsource: + product: windows + category: process_creation +detection: + lolbas: + CommandLine|contains: + - dump64.exe + - .dmp + condition: selection +tags: + - attack.credential_access + - attack.t1003 + - attack.T1003.001 +level: high +falsepositives: + - Unlikely From 18bab18dd94fa28a355c5534721395299c23de41 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 26 Nov 2021 14:19:10 -0600 Subject: [PATCH 2/6] Update process_creation_win_lolbas_dump64.yml --- .../process_creation/process_creation_win_lolbas_dump64.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml b/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml index ecaa3308d..49109359e 100644 --- a/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml +++ b/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml @@ -17,7 +17,6 @@ detection: condition: selection tags: - attack.credential_access - - attack.t1003 - attack.T1003.001 level: high falsepositives: From 83e4236edfe857a75402edf401966aa2bbc363b7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 26 Nov 2021 21:23:21 +0100 Subject: [PATCH 3/6] fix: tag, changed rule to avoid FP with VS binary there is a legitimate binary used in Visual Studio named dump64.exe, we can exclude the original location and only report when we see it in a different location or used with procdump command line flags https://www.advanceduninstaller.com/Visual-Studio-Professional-2019-dc240beb51a0e41e029278d4ad2a2e87-application.htm --- .../process_creation_win_lolbas_dump64.yml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml b/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml index 49109359e..c38dbb2db 100644 --- a/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml +++ b/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml @@ -2,7 +2,7 @@ title: Suspicious Memory Dump Execution id: 129966c9-de17-4334-a123-8b58172e664d description: Detects when a user bypasses Defender and dumps LSASS by renaming procdump.exe to dump64.exe status: experimental -author: Austin Songer @austinsonger +author: Austin Songer @austinsonger, Florian Roth date: 2021/11//26 references: - https://twitter.com/mrd0x/status/1460597833917251595 @@ -10,14 +10,18 @@ logsource: product: windows category: process_creation detection: - lolbas: + selection: + Image|endswith: '\dump64.exe' + procdump_flags: CommandLine|contains: - - dump64.exe - - .dmp - condition: selection + - ' -ma ' + - 'accpeteula' + filter: + Image|contains: '\Installer\Feedback\dump64.exe' + condition: ( selection and not filter ) or ( selection and procdump_flags ) tags: - attack.credential_access - - attack.T1003.001 + - attack.t1003.001 level: high falsepositives: - Unlikely From 1b8a6b901b1cbcf28393335b59e4cee9ac9d6ae5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 26 Nov 2021 21:24:54 +0100 Subject: [PATCH 4/6] docs: change title and description --- .../process_creation/process_creation_win_lolbas_dump64.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml b/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml index c38dbb2db..cd8247c86 100644 --- a/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml +++ b/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml @@ -1,6 +1,6 @@ -title: Suspicious Memory Dump Execution +title: Suspicious Dump64.exe Execution id: 129966c9-de17-4334-a123-8b58172e664d -description: Detects when a user bypasses Defender and dumps LSASS by renaming procdump.exe to dump64.exe +description: Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder status: experimental author: Austin Songer @austinsonger, Florian Roth date: 2021/11//26 From 248dcbe7358e366830236fca0890f15fd40a87e7 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 26 Nov 2021 14:34:32 -0600 Subject: [PATCH 5/6] Update process_creation_win_lolbas_dump64.yml --- .../process_creation/process_creation_win_lolbas_dump64.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml b/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml index cd8247c86..db18ef626 100644 --- a/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml +++ b/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml @@ -3,7 +3,7 @@ id: 129966c9-de17-4334-a123-8b58172e664d description: Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder status: experimental author: Austin Songer @austinsonger, Florian Roth -date: 2021/11//26 +date: 2021/11/26 references: - https://twitter.com/mrd0x/status/1460597833917251595 logsource: From 46f0e3211833ac62e36ead8ba336d1e4ce04e1b0 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 27 Nov 2021 01:18:56 +0100 Subject: [PATCH 6/6] Update process_creation_win_lolbas_dump64.yml --- .../process_creation/process_creation_win_lolbas_dump64.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml b/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml index db18ef626..34abd4ae3 100644 --- a/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml +++ b/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml @@ -22,6 +22,6 @@ detection: tags: - attack.credential_access - attack.t1003.001 -level: high falsepositives: - - Unlikely + - Dump64.exe in other folders than the excluded one +level: high