shashank-elastic
82 lines
2.8 KiB
TOML
82 lines
2.8 KiB
TOML
[metadata]
|
|
creation_date = "2022/08/28"
|
|
integration = ["endpoint", "windows"]
|
|
maturity = "production"
|
|
updated_date = "2024/05/21"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies the enable of the full user-mode dumps feature system-wide. This feature allows Windows Error Reporting (WER)
|
|
to collect data after an application crashes. This setting is a requirement for the LSASS Shtinkering attack, which
|
|
fakes the communication of a crash on LSASS, generating a dump of the process memory, which gives the attacker access to
|
|
the credentials present on the system without having to bring malware to the system. This setting is not enabled by
|
|
default, and applications must create their registry subkeys to hold settings that enable them to collect dumps.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Full User-Mode Dumps Enabled System-Wide"
|
|
references = [
|
|
"https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps",
|
|
"https://github.com/deepinstinct/Lsass-Shtinkering",
|
|
"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf",
|
|
]
|
|
risk_score = 47
|
|
rule_id = "220be143-5c67-4fdb-b6ce-dd6826d024fd"
|
|
severity = "medium"
|
|
tags = [
|
|
"Domain: Endpoint",
|
|
"OS: Windows",
|
|
"Use Case: Threat Detection",
|
|
"Tactic: Credential Access",
|
|
"Data Source: Elastic Defend",
|
|
"Data Source: Elastic Endgame",
|
|
"Data Source: Sysmon",
|
|
]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
|
|
query = '''
|
|
registry where host.os.type == "windows" and
|
|
registry.path : (
|
|
"HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType",
|
|
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType"
|
|
) and
|
|
registry.data.strings : ("2", "0x00000002") and
|
|
not (process.executable : "?:\\Windows\\system32\\svchost.exe" and user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20"))
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1003"
|
|
name = "OS Credential Dumping"
|
|
reference = "https://attack.mitre.org/techniques/T1003/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1003.001"
|
|
name = "LSASS Memory"
|
|
reference = "https://attack.mitre.org/techniques/T1003/001/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0006"
|
|
name = "Credential Access"
|
|
reference = "https://attack.mitre.org/tactics/TA0006/"
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1112"
|
|
name = "Modify Registry"
|
|
reference = "https://attack.mitre.org/techniques/T1112/"
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0005"
|
|
name = "Defense Evasion"
|
|
reference = "https://attack.mitre.org/tactics/TA0005/"
|
|
|