-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2020-05-001.yaml
45 lines (42 loc) · 2.92 KB
/
CAR-2020-05-001.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
---
title: MiniDump of LSASS
submission_date: 2020/05/04
information_domain: 'Host'
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- Cyber National Mission Force (CNMF)
id: CAR-2020-05-001
description: |-
This analytic detects the minidump variant of credential dumping where a process opens lsass.exe in order to extract credentials using the Win32 API call [MiniDumpWriteDump](https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump). Tools like [SafetyKatz](https://github.com/GhostPack/SafetyKatz), [SafetyDump](https://github.com/m0rv4i/SafetyDump), and [Outflank-Dumpert](https://github.com/outflanknl/Dumpert) default to this variant and may be detected by this analytic, though keep in mind that not all options for using those tools will result in this specific behavior.
The analytic is based on a [Sigma analytic](https://github.com/NVISO-BE/sigma-public/blob/master/rules/windows/sysmon/sysmon_lsass_memdump.yml) contributed by Samir Bousseaden and written up in a [blog on MENASEC](https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html). It looks for a call trace that includes either dbghelp.dll or dbgcore.dll, which export the relevant functions/permissions to perform the dump. It also detects using the Windows Task Manager (taskmgr.exe) to dump lsass, which is described in [CAR-2019-08-001](/analytics/CAR-2019-08-001/). In this iteration of the Sigma analytic, the `GrantedAccess` filter isn't included because it didn't seem to filter out any false positives and introduces the potential for evasion.
This analytic was tested both in a lab and in a production environment with a very low false-positive rate. werfault.exe and tasklist.exe, both standard Windows processes, showed up multiple times as false positives.
NOTE - this analytic has no corresponding pseudocode implementation because the CAR data model doesn't currently support process access events.
coverage:
- technique: T1003
tactics:
- TA0006
subtechniques:
- T1003.003
coverage: Low
implementations:
- name: Lsass Process Access
description: This Splunk query looks for process access events where lsass.exe is accessed with a specific call trace that indicates the use of MiniDumpWriteDump.
code: |-
index=__your_sysmon_index__ EventCode=10 TargetImage="C:\\windows\\system32\\lsass.exe" (CallTrace="*dbghelp.dll*" OR CallTrace="*dbgcore.dll*")| table _time host SourceProcessId SourceImage
type: Splunk
data_model: Sysmon native
- description: LogPoint version of the above pseudocodes.
code: |-
norm_id=WindowsSysmon event_id=10 image="C:\Windows\system32\lsass.exe" call_trace IN ["*dbghelp.dll*", "*dbgcore.dll*"]
| fields log_ts host source_process_id source_image
type: LogPoint
data_mode: LogPoint native
d3fend_mappings:
- iri: d3f:SystemCallAnalysis
id: D3-SCA
label: System Call Analysis