security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Created rule win_susp_sqldumper_activity.yml

Browse Source
This commit is contained in:
Kirill Kiryanov
2020-10-08 14:29:21 +03:00
parent a09488a90f
commit 55ea538841
1 changed files with 29 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_susp_sqldumper_activity.yml
+29
View File
@@ -0,0 +1,29 @@
title: Dumping process via sqldumper.exe
id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516
description: Detects process dump via legitimate sqldumper.exe binary
status: experimental
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqldumper.yml
- https://twitter.com/countuponsec/status/910977826853068800
- https://twitter.com/countuponsec/status/910969424215232518
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
author: Kirill Kiryanov, oscd.community
date: 2020/10/08
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sqldumper.exe'
CommandLine|contains:
- '0x0110'
- '0x01100:40'
condition: selection
falsepositives:
- Legitimate MSSQL Server actions
level: medium