From e7695f862f61a45486c3600a7ec0df6715a7f8c0 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 8 Dec 2020 17:56:25 +0100 Subject: [PATCH] [New Rule] Potential Credential Access with LolBas (#620) * [New Rule] Potential Credential Access with LolBas * typo * added procdump and steam lolbins * added cisco Jabber lobas * eql syntax * ecs_version * Update rules/windows/credential_access_lolbas_dump_cmdline.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/credential_access_lolbas_dump_cmdline.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * renamed rule and filename as suggested by DanStep * adjust name and desc Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- .../credential_access_cmdline_dump_tool.toml | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 rules/windows/credential_access_cmdline_dump_tool.toml diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml new file mode 100644 index 000000000..ebcbf7b46 --- /dev/null +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2020/11/24" +maturity = "production" +updated_date = "2020/11/24" + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory +database (NTDS.dit) in preparation for credential access. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*"] +language = "eql" +license = "Elastic License" +name = "Potential Credential Access via Windows Utilities" +references = ["https://lolbas-project.github.io/"] +risk_score = 73 +rule_id = "00140285-b827-4aee-aa09-8113f58a08f3" +severity = "high" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +type = "eql" + +query = ''' +process where event.type in ("start", "process_started") and +/* update here with any new lolbas with dump capability */ +(process.pe.original_file_name == "procdump" and process.args : "-ma") or +(process.name : "ProcessDump.exe" and not process.parent.executable : "C:\\Program Files*\\Cisco Systems\\*.exe") or +(process.pe.original_file_name == "WriteMiniDump.exe" and not process.parent.executable : "C:\\Program Files*\\Steam\\*.exe") or +(process.pe.original_file_name == "RUNDLL32.EXE" and (process.args : "MiniDump*" or process.command_line : "*comsvcs.dll*#24*")) or +(process.pe.original_file_name == "RdrLeakDiag.exe" and process.args : "/fullmemdmp") or +(process.pe.original_file_name == "SqlDumper.exe" and process.args : "0x01100*") or +(process.pe.original_file_name == "TTTracer.exe" and process.args : "-dumpFull" and process.args : "-attach") or +(process.pe.original_file_name == "ntdsutil.exe" and process.args : "create*full*") or +(process.pe.original_file_name == "diskshadow.exe" and process.args : "/s") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/"