search

mitre-attack / car

Cyber Analytics Repository
Apache License 2.0
884 stars 300 forks source link

Credential Dumping via Sysinternals ProcDump #27

Closed ForensicITGuy closed 4 years ago

ForensicITGuy commented 4 years ago

Credential Dumping via Sysinternals ProcDump

The Sysinternals ProcDump utility may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe as a privileged user with command line options indicating that lsass.exe should be dumped to a file with an arbitrary name.

ATT&CK Coverage

Technique Level of Coverage
Credential Dumping Moderate

Analytic Code

The code for this analytic. CAR pseudocode is preferred, but any search syntax is fine. At least one type of code is required but more are encouraged (e.g. both pseudocode and a Splunk search).

Pseudocode

processes = search Process:Create
procdump_lsass = filter processes where (
    exe = "procdump*.exe"  and
    command_line = "*lsass*")

Splunk, Sysmon native

index=__your_sysmon_index__ EventCode=1 Image="*\\procdump*.exe" CommandLine="*lsass*"

EQL

process where subtype.create and
  process_name == "procdump*.exe" and command_line == "*lsass*"

Test Cases

  1. Open a Windows Command Prompt or PowerShell instance.
  2. Navigate to folder containing ProcDump.
  3. Execute procdump.exe -ma lsass.exe lsass_dump

Data Model Mappings

Elements from the CAR data model that are required for this analytic. This is required.

Object Action Field
process create exe
process create command_line

Developer Certificate of Origin

DCO signed-off-by: Tony M Lambert tony.lambert@redcanary.com

ikiril01 commented 4 years ago

@ForensicITGuy thanks for the contribution! We actually just added an analytic for this from another contribution: https://car.mitre.org/analytics/CAR-2019-07-002/

However, you've provided some useful additional information here, including some different implementations and test cases. If it's ok with you, I'll merge this into the existing analytic and add you as a contributor.

ForensicITGuy commented 4 years ago

Hey absolutely, I'm good with it

ikiril01 commented 4 years ago

@ForensicITGuy awesome - thanks! I've updated the analytic with your contributions in https://github.com/mitre-attack/car/commit/48f30fd2da49e1cb7644510f32fa51f01ce762fc.