Closed ForensicITGuy closed 4 years ago
@ForensicITGuy thanks for the contribution - it's especially great that you included multiple implementations :)
A few questions:
lsass
in the name)?Hey @ikiril01 That would be correct, it would be a TTP.
For the second question, there's no place to specify the file name with Task Manager, it should always be deterministic such as lsass.dmp
, lsass (1).dmp
and so on.
Added this in a PR - #32. Thanks again for the submission!
Credential Dumping via Windows Task Manager
The Windows Task Manager may be used to dump the memory space of
lsass.exe
to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selectinglsass.exe
, and clicking "Create dump file". This saves a dump file to disk with the process's name in the file name.This requires filesystem data to determine whether files have been created.
ATT&CK Coverage
Analytic Code
The code for this analytic. CAR pseudocode is preferred, but any search syntax is fine. At least one type of code is required but more are encouraged (e.g. both pseudocode and a Splunk search).
Pseudocode
Splunk, Sysmon native
EQL
Test Cases
lsass.exe
lsass.exe
and select "Create dump file".Data Model Mappings
Elements from the CAR data model that are required for this analytic. This is required.
Developer Certificate of Origin
DCO signed-off-by: Tony M Lambert tony.lambert@redcanary.com