Open Cyb3rWard0g opened 4 years ago
Cyb3rWard0g
commented
4 years ago Procedure: Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe Criteria: powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Cyb3rWard0g
commented
4 years ago CreateRemoteThread API
Sysmon
SELECT Message
FROM apt29Host f
INNER JOIN (
SELECT d.ProcessGuid, d.ParentProcessGuid
FROM apt29Host d
INNER JOIN (
SELECT a.ProcessGuid, a.ParentProcessGuid
FROM apt29Host a
INNER JOIN (
SELECT ProcessGuid
FROM apt29Host
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
AND EventID = 1
AND LOWER(Image) LIKE "%control.exe"
AND LOWER(ParentImage) LIKE "%sdclt.exe"
) b
ON a.ParentProcessGuid = b.ProcessGuid
WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
AND a.EventID = 1
AND a.IntegrityLevel = "High"
) c
ON d.ParentProcessGuid= c.ProcessGuid
WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
AND d.EventID = 1
AND d.Image LIKE '%powershell.exe'
) e
ON f.SourceProcessGuid = e.ParentProcessGuid
WHERE f.Channel = "Microsoft-Windows-Sysmon/Operational"
AND f.EventID = 8
AND f.TargetImage LIKE '%lsass.exe'Results
CreateRemoteThread detected:
RuleName: -
UtcTime: 2020-05-02 03:05:16.623
SourceProcessGuid: {47ab858c-e1e4-5eac-b803-000000000400}
SourceProcessId: 2976
SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetProcessGuid: {47ab858c-cad9-5eac-0c00-000000000400}
TargetProcessId: 736
TargetImage: C:\Windows\System32\lsass.exe
NewThreadId: 912
StartAddress: 0x00000117610E0000
StartModule: -
StartFunction: -
Description
The attacker then harvests password hashes (T1003).