diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml new file mode 100644 index 000000000..6d237ea2e --- /dev/null +++ b/rules/windows/credential_access_posh_minidump.toml @@ -0,0 +1,70 @@ +[metadata] +creation_date = "2021/10/05" +maturity = "production" +updated_date = "2021/10/05" + +[rule] +author = ["Elastic"] +description = """ +This rule detects PowerShell scripts that have capabilities to dump process memory using WindowsErrorReporting or +Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials. +""" +false_positives = ["Powershell Scripts that use this capability for troubleshooting."] +from = "now-9m" +index = ["winlogbeat-*", "logs-windows.*"] +language = "kuery" +license = "Elastic License v2" +name = "PowerShell MiniDump Script" +references = [ + "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1", + "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1" +] +risk_score = 73 +rule_id = "577ec21e-56fe-4065-91d8-45eb8224fe77" +severity = "high" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.code:"4104" and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +reference = "https://attack.mitre.org/techniques/T1003/" +id = "T1003" +name = "OS Credential Dumping" + + [[rule.threat.technique.subtechnique]] + reference = "https://attack.mitre.org/techniques/T1003/001/" + id = "T1003.001" + name = "LSASS Memory" + + +[rule.threat.tactic] +reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0006" +name = "Credential Access" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + + [[rule.threat.technique.subtechnique]] + id = "T1059.001" + name = "PowerShell" + reference = "https://attack.mitre.org/techniques/T1059/001/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/"