security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: enhance rules related to Lsass-Shtinkering

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2022-12-08 11:02:56 +01:00
parent bea46b2b9e
commit edc99c92a2
5 changed files with 41 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/known-FPs.csv
-1
View File
@@ -44,4 +44,3 @@ fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.*
52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon
573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\.exe
37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe
33efc23c-6ea2-4503-8cfe-bdf82ce8f718;Adding of a registry key for LSASS Shtinkering;\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps
1 RuleId RuleName MatchString
44 52a85084-6989-40c3-8f32-091e12e17692 Suspicious Usage of CVE_2021_34484 or CVE 2022_21919 Computer: Agamemnon
45 573df571-a223-43bc-846e-3f98da481eca Copy a File Downloaded From Internet 7z\.exe
46 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 Image Load of VSS Dll by Uncommon Executable SetupFrontEnd\.exe
33efc23c-6ea2-4503-8cfe-bdf82ce8f718 Adding of a registry key for LSASS Shtinkering \\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps
rules/windows/file/file_event/file_event_lsass_shtinkering.yml
+9 -8
View File
@@ -1,23 +1,24 @@
title: Suspicious LSASS Dump using LSASS Shtinkering
title: LSASS Process Dump Artefact In CrashDumps Folder
id: 6902955a-01b7-432c-b32a-6f5f81d8f625
status: experimental
description: LSASS Shtinkering is a technique where using Windows Error Reporting, LSASS can be dumped.
description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash'
modified: 2022/12/08
date: 2022/12/08
tags:
- attack.credential_access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains|all:
- 'lsass.exe'
- 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps'
TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\'
TargetFilename|contains: 'lsass.exe.'
TargetFilename|endswith: '.dmp'
condition: selection
falsepositives:
- Unknown
level: high
- Rare legitimate dump of the process by the operating system due to a crash of lsass
level: high
rules/windows/process_creation/proc_creation_lsass_shtinkering.yml
+22 -15
View File
@@ -1,30 +1,37 @@
title: Suspicious LSASS Dumping using Windows Error Reporting
title: Potential Credential Dumping Via Windows Error Reporting
id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3
status: experimental
description: LSASS Shtinkering is a technique where using Windows Error Reporting, LSASS can be dumped.
description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
author: '@pbssubhash'
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash , Nasreddine Bencherchali'
date: 2022/12/08
modified: 2022/12/08
tags:
- attack.credential_access
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection:
selection_img:
- Image|endswith: '\Werfault.exe'
- OriginalFileName: 'WerFault.Exe'
- CommandLine|contains|all:
- '-u '
- '-p'
- '-ip '
- '-s '
# C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244
- OriginalFileName: 'WerFault.exe'
selection_cli:
ParentUser|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
User|contains:
- 'AUTHORI'
- 'AUTORI'
CommandLine|contains|all:
# Example: C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244
- ' -u -p '
- ' -ip '
- ' -s '
filter_lsass:
ParentImage|endswith: 'C:\Windows\System32\lsass.exe'
condition: selection and not filter_lsass
ParentImage: 'C:\Windows\System32\lsass.exe'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Windows Error Reporting might have similar behavior and in that case, check the process associated with "-ip" parameter in CommandLine.
- Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the "-p" parameter in the CommandLine.
level: high
rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml
-25
View File
@@ -1,25 +0,0 @@
title: Adding of a registry key for LSASS Shtinkering
id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f718
status: experimental
description: Detects when an attacker adds a registry key that's required to perform LSASS Shtinkering attack.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
author: '@pbssubhash'
date: 2022/12/08
modified: 2022/12/08
tags:
- attack.credential_access
logsource:
category: registry_add
product: windows
detection:
selection:
EventType: CreateKey
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps'
filter:
TargetObject|endswith: '.exe'
condition: selection and not filter
falsepositives:
- Legitimate usage of enabling user mode dumping (Not seen in the wild)
level: high
rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml
+10 -7
View File
@@ -1,24 +1,27 @@
title: Setting of a registry key's value for LSASS Shtinkering
title: Lsass Full Dump Request Via DumpType Registry Settings
id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719
status: experimental
description: Detects when an attacker adds a registry key that's required to perform LSASS Shtinkering attack.
description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash'
date: 2022/12/08
modified: 2022/12/08
tags:
- attack.credential_access
- attack.t1003.001
logsource:
category: registry_set
product: windows
detection:
selection:
EventType: SetValue
TargetObject:
- HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
Details: 2
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType'
- '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType'
Details: 'DWORD (0x00000002)' # Full Dump
condition: selection
falsepositives:
- Unknown
- Legitimate application that needs to do a full dump of their process
level: high