Nasreddine Bencherchali
19d271b33c
fix: Potential NT API Stub Patching - Tune FP filter new: Credential Dumping Activity By Python Based Tool new: HackTool - Generic Process Access remove: Credential Dumping Tools Accessing LSASS Memory update: Credential Dumping Activity Via Lsass - Update selection to increase coverage and filters to tune false positives update: Credential Dumping Attempt Via WerFault - Update title update: Function Call From Undocumented COM Interface EditionUpgradeManager - Reduce level to medium update: HackTool - CobaltStrike BOF Injection Pattern - Update title update: HackTool - HandleKatz Duplicating LSASS Handle - Update title update: HackTool - LittleCorporal Generated Maldoc Injection - Update title update: HackTool - SysmonEnte Execution - Add additional location of Sysmon, update title and filters update: HackTool - winPEAS Execution - Add additional image names for winPEAS update: LSASS Access From Potentially White-Listed Processes - Update title and description update: LSASS Access From Program In Potentially Suspicious Folder - Update filters to take into account other drivers than C: update: LSASS Memory Access by Tool With Dump Keyword In Name - Update title and description update: Lsass Memory Dump via Comsvcs DLL - Reduce level and remove path from filter to account for any location of rundll32 update: Malware Shellcode in Verclsid Target Process - Move to hunting folder update: Potential Credential Dumping Attempt Via PowerShell - Reduce level to medium, update description and move to hunting folder update: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - Update filters and metadata update: Potential Process Hollowing Activity - Update FP filter update: Potential Shellcode Injection - Update title and enhance false positive filter update: Potentially Suspicious GrantedAccess Flags On LSASS - update: Remote LSASS Process Access Through Windows Remote Management - Update title, description and filter to account for installation other than C: update: Suspicious Svchost Process Access - Enhance filter to account for installation in non C: locations update: Uncommon GrantedAccess Flags On LSASS - Enhance false positive filter --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Thanks: swachchhanda000
27 lines
968 B
YAML
27 lines
968 B
YAML
title: Credential Dumping Attempt Via WerFault
|
|
id: e5b33f7d-eb93-48b6-9851-09e1e610b6d7
|
|
status: test
|
|
description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
|
|
references:
|
|
- https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507
|
|
author: Florian Roth (Nextron Systems)
|
|
date: 2012/06/27
|
|
modified: 2023/11/29
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1003.001
|
|
- attack.s0002
|
|
logsource:
|
|
category: process_access
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
SourceImage|endswith: '\WerFault.exe'
|
|
TargetImage|endswith: '\lsass.exe'
|
|
GrantedAccess: '0x1FFFFF'
|
|
condition: selection
|
|
falsepositives:
|
|
- Actual failures in lsass.exe that trigger a crash dump (unlikely)
|
|
- Unknown cases in which WerFault accesses lsass.exe
|
|
level: high
|