Dumping Lsass.exe memory with MiniDumpWriteDump API

2019-10-28 22:11:55 -07:00
parent a6b24da6dd
commit 551d3d653c
1 changed files with 56 additions and 0 deletions
@@ -0,0 +1,56 @@
+title: Dumping Lsass.exe memory with MiniDumpWriteDump API
+status: experimental
+description: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. 
+date: 27/10/2019
+author: Perez Diego (@darkquassar), oscd.community
+references:
+    - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
+    - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
+    - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
+tags:
+    - attack.credential_access
+    - attack.T1003
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    signedprocess:
+        EventID: 7
+        ImageLoaded:
+            - C:\Windows\System32\dbghelp.dll
+            - C:\Windows\System32\dbgcore.dll
+        Image: 
+            - '*msbuild.exe*'
+            - '*cmd.exe*'
+            - '*svchost.exe*'
+            - '*rundll32.exe*'
+            - '*powershell.exe*'
+            - '*word.exe*'
+            - '*excel.exe*'
+            - '*powerpnt.exe*'
+            - '*outlook.exe*'
+            - '*monitoringhost.exe*'
+            - '*wmic.exe*'
+            - '*msiexec.exe*'
+            - '*bash.exe*'
+            - '*wscript.exe*'
+            - '*cscript.exe*'
+            - '*mshta.exe*'
+            - '*regsvr32.exe*'
+            - '*schtasks.exe*'
+            - '*dnx.exe*'
+            - '*regsvcs.exe*'
+            - '*sc.exe*'
+            - '*scriptrunner.exe*'
+    unsignedprocess:
+        EventID: 7
+        ImageLoaded:
+            - C:\Windows\System32\dbghelp.dll
+            - C:\Windows\System32\dbgcore.dll
+        Signed: "FALSE"
+    filter:
+        ImageLoaded: "*Visual Studio*"
+    condition: (signedprocess AND NOT filter) OR (unsignedprocess AND NOT filter)
+falsepositives:
+    - Penetration tests
+level: critical