security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
889efd1663f0781e110f32e8e81e88a311e6c500
blue-team-tools/rules/windows/process_access/proc_access_win_lsass_memdump.yml
T
Nasreddine Bencherchali e052677142
Create Release / Create Release (push) Has been cancelled
Details
Merge PR #4577 from @nasbench - Multiple Fixes & Updates 
fix: Access To Windows Credential History File By Uncommon Application - Enhance FP filters
fix: Access To Windows DPAPI Master Keys By Uncommon Application - Enhance FP filters
fix: Amsi.DLL Load By Uncommon Process - Moved to threat hunting folder and update false positive filters to remove hardcoded C:
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Typo in condition
fix: Credential Manager Access By Uncommon Application - Enhance FP filters
fix: Elevated System Shell Spawned From Uncommon Parent Location - Enhance FP filters
fix: Execution of Suspicious File Type Extension - Add new extensions to reduce FP
fix: Important Windows Eventlog Cleared - Update selection to remove "Application" log as it was generating a lot of FP in some environments
fix: Malicious PowerShell Commandlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
fix: Potential Direct Syscall of NtOpenProcess - Add "Adobe" filter
fix: Potential Shim Database Persistence via Sdbinst.EXE - Update FP filter for "iisexpressshim" sdb
fix: Potentially Suspicious AccessMask Requested From LSASS - Add new FP filter for "procmon" process
fix: PowerView PowerShell Cmdlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
fix: PSScriptPolicyTest Creation By Uncommon Process - Add new filter for "sdiagnhost"
fix: Relevant Anti-Virus Signature Keywords In Application Log - Update false positive filters
fix: Remote Access Tool Services Have Been Installed - Security - Fix typo in field name
fix: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Remove RECYCLE.BIN\ as it was added as a typo and is a legitimate location.
fix: Uncommon Child Process Of Conhost.EXE - Add new FP filters
fix: Uncommon File Created In Office Startup Folder - Add new extension to filter out FP generated with MS Access databases
fix: Uncommon PowerShell Hosts - Moved to threat hunting folder and updated false positive filter list
fix: Use Of Remove-Item to Delete File - ScriptBlock - Moved to threat hunting folder and Update logic to be more accurate
fix: User with Privileges Logon - Move to placeholder rules and update the FP filter to account for different workstations
fix: Windows Event Auditing Disabled - Enhance list of false positive filters with additional GUID
fix: WMI Module Loaded By Uncommon Process - Moved to threat hunting folder and update and restructure false positive filters
new: Communication To Uncommon Destination Ports
new: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
remove: Credential Dumping Tools Service Execution
remove: New Service Uses Double Ampersand in Path
remove: Powershell File and Directory Discovery
remove: PowerShell Scripts Run by a Services
remove: Security Event Log Cleared
remove: Suspicious Get-WmiObject
remove: Windows Defender Threat Detection Disabled
update: Access To Browser Credential Files By Uncommon Application - Increase level to medium and enhance filters and selections
update: Add Potential Suspicious New Download Source To Winget - Reduce level to medium
update: ADFS Database Named Pipe Connection By Uncommon Tool - Enhance coverage by improving paths selection
update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Reduce level to low
update: Copy From Or To Admin Share Or Sysvol Folder - Enhance selection to be more accurate
update: Eventlog Cleared - Update FP filter to remove "Application" log and increase coverage
update: Failed Code Integrity Checks - Reduce level to informational
update: HH.EXE Execution - Reduce level to low
update: Locked Workstation - Reduce level to informational
update: Malicious Driver Load By Name - Increase coverage based on LOLDrivers data
update: Meterpreter or Cobalt Strike Getsystem Service Installation - Security - Reduce level to high and restructure selections
update: Meterpreter or Cobalt Strike Getsystem Service Installation - System - Reduce level to high and restructure selections
update: Potential Credential Dumping Activity Via LSASS - Reduce level to medium and comment out noisy access masks
update: Potential PowerShell Execution Policy Tampering - Remove "RemoteSigned" as it doesn't fit with the current logic
update: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location - Reduce level to medium and update logic
update: Potentially Suspicious Malware Callback Communication - Increase coverage by adding new additional ports
update: PUA - Nmap/Zenmap Execution - Reduce level to medium
update: PUA - Process Hacker Execution - Reduce level to medium
update: PUA - Radmin Viewer Utility Execution - Reduce level to medium
update: Rundll32 Execution With Uncommon DLL Extension - Enhance DLL extension list
update: SASS Access From Non System Account - Reduce level to medium and enhance false positive filters
update: Suspicious Executable File Creation - Enhance coverage by removing hardocded "C:"
update: Suspicious Program Location with Network Connections - Increase accuracy by enhancing the selection to focus on the start of the folder and partition
update: Suspicious Schtasks From Env Var Folder - Reduce level to medium
update: Suspicious Shim Database Patching Activity - Add new processes to increase coverage
update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Reduce level to medium
update: Whoami Utility Execution - Reduce level to low
update: Whoami.EXE Execution With Output Option - Reduce level to medium
update: Windows Defender Malware Detection History Deletion - Reduce level to informational
update: WMI Event Consumer Created Named Pipe - Reduce leve to medium

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Thanks: @Blackmore-Robert
Thanks: @swachchhanda000
Thanks: @celalettin-turgut
Thanks: @AaronS97
2023-12-21 21:04:18 +01:00

58 lines
2.2 KiB
YAML
Executable File
Raw Blame History

title: Potential Credential Dumping Activity Via LSASS
id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
status: experimental
description: |
Detects process access requests to the LSASS process with specific call trace calls and access masks.
This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
references:
- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
- https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md
- https://research.splunk.com/endpoint/windows_possible_credential_dumping/
author: Samir Bousseaden, Michael Haag
date: 2019/04/03
modified: 2023/12/13
tags:
- attack.credential_access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess|contains:
- '0x1000'
- '0x1038'
- '0x1438'
- '0x143a'
- '0x1fffff' # Too many false positives
# - '0x01000' # Too many false positives
# - '0x1010' # Too many false positives
# - '0x1400' # Too many false positives
# - '0x1410' # Too many false positives
# - '0x40' # Too many false positives
CallTrace|contains:
- 'dbgcore.dll'
- 'dbghelp.dll'
- 'kernel32.dll'
- 'kernelbase.dll'
- 'ntdll.dll'
filter_main_system_user:
SourceUser|contains: # Covers many language settings
- 'AUTHORI'
- 'AUTORI'
filter_optional_thor:
CallTrace|contains|all:
- ':\Windows\Temp\asgard2-agent\'
- '\thor\thor64.exe+'
- '|UNKNOWN('
GrantedAccess: '0x103800'
filter_optional_sysmon:
SourceImage|endswith: ':\Windows\Sysmon64.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink