-
Notifications
You must be signed in to change notification settings - Fork 326
/
CAR-2019-04-004.yaml
60 lines (59 loc) · 3.44 KB
/
CAR-2019-04-004.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
---
title: Credential Dumping via Mimikatz
submission_date: 2019/04/29
information_domain: 'Host'
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- MITRE
id: CAR-2019-04-004
description: |
Credential dumpers like Mimikatz can be loaded into memory and from there read data from another processes. This analytic looks for instances where processes are requesting specific permissions to read parts of the LSASS process in order to detect when credential dumping is occurring. One weakness is that all current implementations are “overtuned” to look for common access patterns used by Mimikatz.
*This requires information about process access, e.g. Sysmon Event ID 10. That currently doesn’t have a CAR data model mapping, since we currently lack any open/access actions for Processes. If this changes, we will update the data model requirements.*
coverage:
- technique: T1003
tactics:
- TA0006
subtechniques:
- T1003.001
coverage: Low
implementations:
- name: Common Mimikatz GrantedAccess Patterns
description: This is specific to the way Mimikatz works currently, and thus is fragile to both future updates and non-default configurations of Mimikatz.
code: |
index=__your_sysmon_data__ EventCode=10
TargetImage="C:\\WINDOWS\\system32\\lsass.exe"
(GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)
CallTrace="C:\\windows\\SYSTEM32\\ntdll.dll+*|C:\\windows\\System32\\KERNELBASE.dll+20edd|UNKNOWN(*)"
| table _time hostname user SourceImage GrantedAccess
type: splunk
data_model: Sysmon native
- name: Outliers
description: This is an outlier version of the above without including the specific call trace. This should work in more (but not all) situations however runs more slowly and will have more false positives - typically installers.
code: |
earliest=-d@d latest=now() index=__your_sysmon_data__
EventCode=10
TargetImage="C:\\WINDOWS\\system32\\lsass.exe"
(GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)
| search NOT [ search earliest=-7d@d latest=-2d@d index=__your_sysmon_data__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)
| dedup SourceImage
| fields SourceImage ]
| table _time hostname user SourceImage GrantedAccess
type: splunk
data_model: Sysmon native
- description: LogPoint version of the above pseudocode.
code: |
norm_id=WindowsSysmon event_id=10 image="C:\Windows\system32\lsass.exe" (access="0x1410" OR access="0x1010" OR access="0x1438" OR access="0x143a" OR access="0x1418") call_trace="C:\windows\SYSTEM32\ntdll.dll+*|C:\windows\System32\KERNELBASE.dll+20edd|UNKNOWN(*)"
| fields log_ts, host, user, source_image, access
type: LogPoint
data_model: LogPoint native
references:
- Credit to [Cyb3rWard0g](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/blob/master/playbooks/windows/06_credential_access/credential_dumping_T1003/credentials_from_memory/mimikatz_logonpasswords.md), dim0x69 (blog.3or.de), and Mark Russinovich for providing much of the information used to construct these analytics.
d3fend_mappings:
- iri: d3f:ProcessSpawnAnalysis
id: D3-PSA
label: Process Spawn Analysis