From edc99c92a2e2a7eda7516df6f7aef5a562095ef2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 11:02:56 +0100 Subject: [PATCH] fix: enhance rules related to Lsass-Shtinkering --- .github/workflows/known-FPs.csv | 1 - .../file_event_lsass_shtinkering.yml | 17 +++++---- .../proc_creation_lsass_shtinkering.yml | 37 +++++++++++-------- .../registry_add_usermode_dumping_enabled.yml | 25 ------------- .../registry_set_lsass_usermode_dumping.yml | 17 +++++---- 5 files changed, 41 insertions(+), 56 deletions(-) delete mode 100644 rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 9b7911bb3..bbb1f00d1 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -44,4 +44,3 @@ fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.* 52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon 573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\.exe 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe -33efc23c-6ea2-4503-8cfe-bdf82ce8f718;Adding of a registry key for LSASS Shtinkering;\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps diff --git a/rules/windows/file/file_event/file_event_lsass_shtinkering.yml b/rules/windows/file/file_event/file_event_lsass_shtinkering.yml index ccd828eff..522ab6eb3 100644 --- a/rules/windows/file/file_event/file_event_lsass_shtinkering.yml +++ b/rules/windows/file/file_event/file_event_lsass_shtinkering.yml @@ -1,23 +1,24 @@ -title: Suspicious LSASS Dump using LSASS Shtinkering +title: LSASS Process Dump Artefact In CrashDumps Folder id: 6902955a-01b7-432c-b32a-6f5f81d8f625 status: experimental -description: LSASS Shtinkering is a technique where using Windows Error Reporting, LSASS can be dumped. +description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process. references: - https://github.com/deepinstinct/Lsass-Shtinkering + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf author: '@pbssubhash' -modified: 2022/12/08 +date: 2022/12/08 tags: - attack.credential_access + - attack.t1003.001 logsource: product: windows category: file_event detection: selection: - TargetFilename|contains|all: - - 'lsass.exe' - - 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps' + TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\' + TargetFilename|contains: 'lsass.exe.' TargetFilename|endswith: '.dmp' condition: selection falsepositives: - - Unknown -level: high \ No newline at end of file + - Rare legitimate dump of the process by the operating system due to a crash of lsass +level: high diff --git a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml index 1aa5c4f40..a88adb413 100644 --- a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml +++ b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml @@ -1,30 +1,37 @@ -title: Suspicious LSASS Dumping using Windows Error Reporting +title: Potential Credential Dumping Via Windows Error Reporting id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3 status: experimental -description: LSASS Shtinkering is a technique where using Windows Error Reporting, LSASS can be dumped. +description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass references: - https://github.com/deepinstinct/Lsass-Shtinkering -author: '@pbssubhash' + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf +author: '@pbssubhash , Nasreddine Bencherchali' date: 2022/12/08 -modified: 2022/12/08 tags: - attack.credential_access + - attack.t1003.001 logsource: product: windows category: process_creation detection: - selection: + selection_img: - Image|endswith: '\Werfault.exe' - - OriginalFileName: 'WerFault.Exe' - - CommandLine|contains|all: - - '-u ' - - '-p' - - '-ip ' - - '-s ' - # C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244 + - OriginalFileName: 'WerFault.exe' + selection_cli: + ParentUser|contains: # covers many language settings + - 'AUTHORI' + - 'AUTORI' + User|contains: + - 'AUTHORI' + - 'AUTORI' + CommandLine|contains|all: + # Example: C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244 + - ' -u -p ' + - ' -ip ' + - ' -s ' filter_lsass: - ParentImage|endswith: 'C:\Windows\System32\lsass.exe' - condition: selection and not filter_lsass + ParentImage: 'C:\Windows\System32\lsass.exe' + condition: all of selection_* and not 1 of filter_* falsepositives: - - Windows Error Reporting might have similar behavior and in that case, check the process associated with "-ip" parameter in CommandLine. + - Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the "-p" parameter in the CommandLine. level: high diff --git a/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml b/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml deleted file mode 100644 index c610cd2d6..000000000 --- a/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Adding of a registry key for LSASS Shtinkering -id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f718 -status: experimental -description: Detects when an attacker adds a registry key that's required to perform LSASS Shtinkering attack. -references: - - https://github.com/deepinstinct/Lsass-Shtinkering -author: '@pbssubhash' -date: 2022/12/08 -modified: 2022/12/08 -tags: - - attack.credential_access -logsource: - category: registry_add - product: windows -detection: - selection: - EventType: CreateKey - TargetObject|contains: - - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' - filter: - TargetObject|endswith: '.exe' - condition: selection and not filter -falsepositives: - - Legitimate usage of enabling user mode dumping (Not seen in the wild) -level: high diff --git a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml index dab1b1a9c..c362fe0e6 100644 --- a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml +++ b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml @@ -1,24 +1,27 @@ -title: Setting of a registry key's value for LSASS Shtinkering +title: Lsass Full Dump Request Via DumpType Registry Settings id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719 status: experimental -description: Detects when an attacker adds a registry key that's required to perform LSASS Shtinkering attack. +description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS. references: - https://github.com/deepinstinct/Lsass-Shtinkering + - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf author: '@pbssubhash' date: 2022/12/08 -modified: 2022/12/08 tags: - attack.credential_access + - attack.t1003.001 logsource: category: registry_set product: windows detection: selection: EventType: SetValue - TargetObject: - - HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps - Details: 2 + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType' + - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType' + Details: 'DWORD (0x00000002)' # Full Dump condition: selection falsepositives: - - Unknown + - Legitimate application that needs to do a full dump of their process level: high