-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2019-07-002.yaml
78 lines (67 loc) · 3.09 KB
/
CAR-2019-07-002.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
---
title: Lsass Process Dump via Procdump
submission_date: 2019/07/29
information_domain: 'Host'
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- Kaushal Parikh/Cyware Labs
- Tony Lambert/Red Canary
- MITRE
id: CAR-2019-07-002
description: |-
[ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.
ProcDump may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe as a privileged user with command line options indicating that lsass.exe should be dumped to a file with an arbitrary name.
Note - the CAR data model currently does not support process access actions, so the pseudocode implementation is based around process creates.
coverage:
- technique: T1003
tactics:
- TA0006
subtechniques:
- T1003.001
coverage: Low
implementations:
- name: Procdump - Process Create
description: This base pseudocode looks for process create events where an instance of procdump is executed that references lsass in the command-line.
code: |-
processes = search Process:Create
procdump_lsass = filter processes where (
exe = "procdump*.exe" and
command_line = "*lsass*")
output procdump_lsass
type: Pseudocode
- name: Procdump - Process Create
description: A Splunk/Sysmon version of the above pseudocode.
code: |-
index=__your_sysmon_index__ EventCode=1 Image="*\\procdump*.exe" CommandLine="*lsass*"
type: Splunk
data_model: Sysmon native
- name: Procdump - Process Create
description: 'An [EQL Version](https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html) of the above pseudocode.'
type: EQL
- name: Procdump - Process Access
description: A related Splunk search, which instead of looking for process create events looks for process access events that target lsass.exe.
code: |-
index=__your_sysmon_index__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" GrantedAccess="0x1FFFFF" ("procdump")
type: Splunk
data_model: Sysmon native
- name: Procdump - Process Access
description: 'A [Sigma Version](https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_lsass_memdump.yml) of the above Splunk search, with some more stringent criteria around calltrace.'
type: Sigma
- description: LogPoint version of the above pseudocode.
code: |-
norm_id=WindowsSysmon event_id=1 image="*\procdump*.exe" command="*lsass*"
type: LogPoint
data_mode: LogPoint native
data_model_references:
- process/create/exe
- process/create/command_line
unit_tests:
- description: |-
1. Open a Windows Command Prompt or PowerShell instance.
2. Navigate to folder containing ProcDump.
3. Execute procdump.exe -ma lsass.exe lsass_dump