frack113
37 lines
1.2 KiB
YAML
37 lines
1.2 KiB
YAML
title: Procdump Evasion
|
|
id: 79b06761-465f-4f88-9ef2-150e24d3d737
|
|
description: Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name
|
|
status: experimental
|
|
references:
|
|
- https://twitter.com/mrd0x/status/1480785527901204481
|
|
author: Florian Roth
|
|
date: 2022/01/11
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1036
|
|
- attack.t1003.001
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection1:
|
|
CommandLine|contains:
|
|
- 'copy procdump'
|
|
- 'move procdump'
|
|
selection2:
|
|
CommandLine|contains|all:
|
|
- 'copy '
|
|
- '.dmp '
|
|
CommandLine|contains:
|
|
- '2.dmp'
|
|
- 'lsass'
|
|
- 'out.dmp'
|
|
selection3:
|
|
CommandLine|contains:
|
|
- 'copy lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp
|
|
- 'move lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp
|
|
condition: 1 of selection*
|
|
falsepositives:
|
|
- Cases in which procdump just gets copied to a different directory without any renaming
|
|
level: high
|