security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] PowerShell MiniDump Script (#1528)

Browse Source 
* PowerShell MiniDump Script Initial Rule

* Update credential_access_posh_minidump.toml

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_posh_minidump.toml

* Update rules/windows/credential_access_posh_minidump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2021-10-26 12:09:16 -03:00
committed by GitHub
parent 4524c175c8
commit 239384497f
1 changed files with 70 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/credential_access_posh_minidump.toml
+70
View File
@@ -0,0 +1,70 @@
[metadata]
creation_date = "2021/10/05"
maturity = "production"
updated_date = "2021/10/05"
[rule]
author = ["Elastic"]
description = """
This rule detects PowerShell scripts that have capabilities to dump process memory using WindowsErrorReporting or
Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.
"""
false_positives = ["Powershell Scripts that use this capability for troubleshooting."]
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*"]
language = "kuery"
license = "Elastic License v2"
name = "PowerShell MiniDump Script"
references = [
"https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1",
"https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1"
]
risk_score = 73
rule_id = "577ec21e-56fe-4065-91d8-45eb8224fe77"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.code:"4104" and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
reference = "https://attack.mitre.org/techniques/T1003/"
id = "T1003"
name = "OS Credential Dumping"
[[rule.threat.technique.subtechnique]]
reference = "https://attack.mitre.org/techniques/T1003/001/"
id = "T1003.001"
name = "LSASS Memory"
[rule.threat.tactic]
reference = "https://attack.mitre.org/tactics/TA0006/"
id = "TA0006"
name = "Credential Access"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"