Florian Roth
40 lines
1.6 KiB
YAML
Executable File
40 lines
1.6 KiB
YAML
Executable File
title: LSASS Memory Dump
|
|
id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
|
|
status: experimental
|
|
description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
|
|
author: Samir Bousseaden, Michael Haag
|
|
date: 2019/04/03
|
|
modified: 2022/03/20
|
|
references:
|
|
- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
|
|
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md
|
|
- https://research.splunk.com/endpoint/windows_possible_credential_dumping/
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1003.001
|
|
- attack.s0002
|
|
logsource:
|
|
category: process_access
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
TargetImage|endswith: '\lsass.exe'
|
|
GrantedAccess|contains:
|
|
#- '0x1fffff' # Too many false positives
|
|
#- '0x01000' # Too many false positives
|
|
#- '0x1010' # Too many false positives
|
|
- '0x1038'
|
|
# - '0x40' # Too many false positives
|
|
#- '0x1400' # Too many false positives
|
|
# - '0x1410' # Too many false positives
|
|
- '0x1438'
|
|
- '0x143a'
|
|
CallTrace|contains:
|
|
- 'dbghelp.dll'
|
|
- 'dbgcore.dll'
|
|
- 'ntdll.dll'
|
|
condition: selection
|
|
falsepositives:
|
|
- False positives are present when looking for 0x1410. Exclusions may be required.
|
|
level: high |