security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
blue-team-tools/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml
T
Nasreddine Bencherchali 0795ed6469 feat: additional updates and fixes
2023-02-04 21:06:47 +01:00

25 lines
884 B
YAML
Raw Blame History

title: HackTool - CreateMiniDump Execution
id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
status: test
description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
references:
- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
author: Florian Roth (Nextron Systems)
date: 2019/12/22
modified: 2023/02/04
tags:
- attack.credential_access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\CreateMiniDump.exe'
- Imphash: '4a07f944a83e8a7c2525efa35dd30e2f'
- Hashes|contains: 'IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f'
condition: selection
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink