From a33a124eab4e5ca95e099480058c6c59d520ea2d Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Tue, 17 Oct 2023 09:35:38 -0300
Subject: [PATCH] [New Rule] [BBR] Memory Dump File Rules (#3122)

* [New Rule] Memory Dump File Rules

* .

* .

* .
---
 .../credential_access_mdmp_file_creation.toml | 88 +++++++++++++++++++
 ...al_access_mdmp_file_unusual_extension.toml | 77 ++++++++++++++++
 2 files changed, 165 insertions(+)
 create mode 100644 rules_building_block/credential_access_mdmp_file_creation.toml
 create mode 100644 rules_building_block/credential_access_mdmp_file_unusual_extension.toml

diff --git a/rules_building_block/credential_access_mdmp_file_creation.toml b/rules_building_block/credential_access_mdmp_file_creation.toml
new file mode 100644
index 000000000..fd56e0601
--- /dev/null
+++ b/rules_building_block/credential_access_mdmp_file_creation.toml
@@ -0,0 +1,88 @@
+[metadata]
+creation_date = "2023/09/21"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/09/21"
+bypass_bbr_timing = true
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the creation or modification of a medium size memory dump file which can indicate an attempt to access
+credentials from a process memory.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Credential Access via Memory Dump File Creation"
+risk_score = 21
+rule_id = "e707a7be-cc52-41ac-8ab3-d34b38c20005"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+file where host.os.type == "windows" and event.type == "creation" and
+
+  /* MDMP header */
+  file.Ext.header_bytes : "4d444d50*" and file.size >= 30000 and
+  not
+
+  (
+    (
+      process.executable : (
+        "?:\\Windows\\System32\\WerFault.exe",
+        "?:\\Windows\\SysWOW64\\WerFault.exe",
+        "?:\\Windows\\System32\\Wermgr.exe",
+        "?:\\Windows\\SysWOW64\\Wermgr.exe",
+        "?:\\Windows\\System32\\WerFaultSecure.exe",
+        "?:\\Windows\\System32\\WUDFHost.exe",
+        "?:\\Windows\\System32\\Taskmgr.exe",
+        "?:\\Windows\\SysWOW64\\Taskmgr.exe",
+        "?:\\Program Files\\*.exe",
+        "?:\\Program Files (x86)\\*.exe",
+        "?:\\Windows\\SystemApps\\*.exe",
+        "?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin\\zCrashReport64.exe"
+      ) and process.code_signature.trusted == true
+    ) or
+    (
+      file.path : (
+        "?:\\ProgramData\\Microsoft\\Windows\\WER\\*",
+        "?:\\ProgramData\\Microsoft\\WDF\\*",
+        "?:\\ProgramData\\Alteryx\\ErrorLogs\\*",
+        "?:\\ProgramData\\Goodix\\*",
+        "?:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\CrashDumps\\*",
+        "?:\\Users\\*\\AppData\\Roaming\\Zoom\\logs\\zoomcrash*",
+        "?:\\Users\\*\\AppData\\*\\Crashpad\\*",
+        "?:\\Users\\*\\AppData\\*\\crashpaddb\\*",
+        "?:\\Users\\*\\AppData\\*\\HungReports\\*",
+        "?:\\Users\\*\\AppData\\*\\CrashDumps\\*",
+        "?:\\Users\\*\\AppData\\*\\NativeCrashReporting\\*"
+      ) and (process.code_signature.trusted == true or process.executable == null)
+    )
+  )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.001"
+name = "LSASS Memory"
+reference = "https://attack.mitre.org/techniques/T1003/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
diff --git a/rules_building_block/credential_access_mdmp_file_unusual_extension.toml b/rules_building_block/credential_access_mdmp_file_unusual_extension.toml
new file mode 100644
index 000000000..e142da657
--- /dev/null
+++ b/rules_building_block/credential_access_mdmp_file_unusual_extension.toml
@@ -0,0 +1,77 @@
+[metadata]
+creation_date = "2023/09/21"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/09/21"
+bypass_bbr_timing = true
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the creation of a memory dump file with an unusual extension, which can indicate an attempt to disguise a
+memory dump as another file type to bypass security defenses.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Memory Dump File with Unusual Extension"
+risk_score = 21
+rule_id = "c0b9dc99-c696-4779-b086-0d37dc2b3778"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+file where host.os.type == "windows" and event.type == "creation" and
+
+  /* MDMP header */
+  file.Ext.header_bytes : "4d444d50*" and
+  not file.extension : ("dmp", "mdmp", "hdmp", "edmp", "full", "tdref", "cg", "tmp", "dat") and
+  not 
+  (
+    process.executable : "?:\\Program Files\\Endgame\\esensor.exe" and
+    process.code_signature.trusted == true and length(file.extension) == 0
+  )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.001"
+name = "LSASS Memory"
+reference = "https://attack.mitre.org/techniques/T1003/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1036"
+name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+[[rule.threat.technique.subtechnique]]
+id = "T1036.008"
+name = "Masquerade File Type"
+reference = "https://attack.mitre.org/techniques/T1036/008/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"