From 239384497f5eac52dce03e157efeacf4accca102 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 26 Oct 2021 12:09:16 -0300 Subject: [PATCH] [New Rule] PowerShell MiniDump Script (#1528) * PowerShell MiniDump Script Initial Rule * Update credential_access_posh_minidump.toml * Apply suggestions from code review Co-authored-by: Justin Ibarra * Update credential_access_posh_minidump.toml * Update rules/windows/credential_access_posh_minidump.toml Co-authored-by: Justin Ibarra Co-authored-by: Justin Ibarra --- .../credential_access_posh_minidump.toml | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 rules/windows/credential_access_posh_minidump.toml diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml new file mode 100644 index 000000000..6d237ea2e --- /dev/null +++ b/rules/windows/credential_access_posh_minidump.toml @@ -0,0 +1,70 @@ +[metadata] +creation_date = "2021/10/05" +maturity = "production" +updated_date = "2021/10/05" + +[rule] +author = ["Elastic"] +description = """ +This rule detects PowerShell scripts that have capabilities to dump process memory using WindowsErrorReporting or +Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials. +""" +false_positives = ["Powershell Scripts that use this capability for troubleshooting."] +from = "now-9m" +index = ["winlogbeat-*", "logs-windows.*"] +language = "kuery" +license = "Elastic License v2" +name = "PowerShell MiniDump Script" +references = [ + "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1", + "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1" +] +risk_score = 73 +rule_id = "577ec21e-56fe-4065-91d8-45eb8224fe77" +severity = "high" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.code:"4104" and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +reference = "https://attack.mitre.org/techniques/T1003/" +id = "T1003" +name = "OS Credential Dumping" + + [[rule.threat.technique.subtechnique]] + reference = "https://attack.mitre.org/techniques/T1003/001/" + id = "T1003.001" + name = "LSASS Memory" + + +[rule.threat.tactic] +reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0006" +name = "Credential Access" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + + [[rule.threat.technique.subtechnique]] + id = "T1059.001" + name = "PowerShell" + reference = "https://attack.mitre.org/techniques/T1059/001/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/"