search

mitre-attack / car

Cyber Analytics Repository
Apache License 2.0
884 stars 300 forks source link

Credential Dumping via Task Manager #26

Closed ForensicITGuy closed 4 years ago

ForensicITGuy commented 4 years ago

Credential Dumping via Windows Task Manager

The Windows Task Manager may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting lsass.exe, and clicking "Create dump file". This saves a dump file to disk with the process's name in the file name.

This requires filesystem data to determine whether files have been created.

ATT&CK Coverage

Technique Level of Coverage
Credential Dumping Moderate

Analytic Code

The code for this analytic. CAR pseudocode is preferred, but any search syntax is fine. At least one type of code is required but more are encouraged (e.g. both pseudocode and a Splunk search).

Pseudocode

files = search File:Create
lsass_dump = filter files where (
    file_name = "lsass*.dmp"  and
    image_path = "C:\Windows\*\taskmgr.exe")

Splunk, Sysmon native

index=__your_sysmon_index__ EventCode=11 TargetFilename="*lsass*.dmp" Image="C:\\Windows\\*\\taskmgr.exe"

EQL

file where file_name == "lsass*.dmp" and process_name == "taskmgr.exe"

Test Cases

  1. Open Windows Task Manager as Administrator
  2. Select lsass.exe
  3. Right-click on lsass.exe and select "Create dump file".

Data Model Mappings

Elements from the CAR data model that are required for this analytic. This is required.

Object Action Field
file create file_name
file create file_name

Developer Certificate of Origin

DCO signed-off-by: Tony M Lambert tony.lambert@redcanary.com

ikiril01 commented 4 years ago

@ForensicITGuy thanks for the contribution - it's especially great that you included multiple implementations :)

A few questions:

ForensicITGuy commented 4 years ago

Hey @ikiril01 That would be correct, it would be a TTP.

For the second question, there's no place to specify the file name with Task Manager, it should always be deterministic such as lsass.dmp, lsass (1).dmp and so on.

ikiril01 commented 4 years ago

Added this in a PR - #32. Thanks again for the submission!