security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed CallTrace

Browse Source
This commit is contained in:
Bhabesh
2022-06-28 10:56:18 +05:45
parent e0f8506c1b
commit 1f7e37d2a0
1 changed files with 5 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml
+5 -6
View File
@@ -13,13 +13,12 @@ detection:
selection:
TargetImage|endswith: '\lsass.exe' # Theoretically, can be any benign process holding handle to LSASS
GrantedAccess: '0x1440' # Only PROCESS_DUP_HANDLE, PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_QUERY_INFORMATION
call_trace: # C:\Windows\SYSTEM32\ntdll.dll+9d234\|UNKNOWN(00000000001C119B)
CallTrace|startswith: 'C:\Windows\System32\ntdll.dll+'
CallTrace|contains: '|UNKNOWN('
filter:
CallTrace|contains:
- '\KERNEL32.DLL+'
- '\KERNELBASE.DLL+'
- '\WOW64.DLL+'
condition: selection and not filter
CallTrace|endswith: ')'
condition: selection and call_trace
falsepositives:
- Unknown
level: high