ikiril01
commented
5 years ago I'm leaving this one open pending whatever we decide as far as process open/access actions.
Closed johnwunder closed 5 years ago
ikiril01
commented
5 years ago I'm leaving this one open pending whatever we decide as far as process open/access actions.
ikiril01
commented
5 years ago
Credential Dumping via Mimikatz
Credential dumpers like Mimikatz can be loaded into memory and from there read data from another processes. This analytic looks for instances where processes are requesting specific permissions to read parts of the LSASS process in order to detect when credential dumping is occurring. One weakness is that all current implementations are "overtuned" to look for common access patterns used by Mimikatz.
ATT&CK Coverage
Implementations
Common Mimikatz GrantedAccess Patterns
This is specific to the way Mimikatz works currently, and thus is fragile to both future updates and non-default configurations of Mimikatz.
Language: Splunk . Data Model: Sysmon Native
Outliers
This is an outlier version of the above without including the specific call trace. This should work in more (but not all) situations however runs more slowly and will have more false positives - typically installers.
Language: Splunk . Data Model: Sysmon Native
Data Model Mappings
This requires information about process access, e.g. Sysmon Event ID 10. That currently doesn't have a CAR data model mapping.
References
Analytic developed by Sean Whitley @ MITRE, received his permission to post these two implementations.
Credit to Cyb3rWard0g, dim0x69 (blog.3or.de), and Mark Russinovich for providing much of the information used to construct these analytics. https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/blob/master/attack_matrix/windows/credential_access/credential_dumping/mimikatz_inmem.md
Developer Certificate of Origin
DCO signed-off-by: John Wunder jwunder@mitre.org