Closed ForensicITGuy closed 4 years ago
@ForensicITGuy thanks for the contribution! We actually just added an analytic for this from another contribution: https://car.mitre.org/analytics/CAR-2019-07-002/
However, you've provided some useful additional information here, including some different implementations and test cases. If it's ok with you, I'll merge this into the existing analytic and add you as a contributor.
Hey absolutely, I'm good with it
@ForensicITGuy awesome - thanks! I've updated the analytic with your contributions in https://github.com/mitre-attack/car/commit/48f30fd2da49e1cb7644510f32fa51f01ce762fc.
Credential Dumping via Sysinternals ProcDump
The Sysinternals ProcDump utility may be used to dump the memory space of
lsass.exe
to disk for processing with a credential access tool such as Mimikatz. This is performed by launchingprocdump.exe
as a privileged user with command line options indicating thatlsass.exe
should be dumped to a file with an arbitrary name.ATT&CK Coverage
Analytic Code
The code for this analytic. CAR pseudocode is preferred, but any search syntax is fine. At least one type of code is required but more are encouraged (e.g. both pseudocode and a Splunk search).
Pseudocode
Splunk, Sysmon native
EQL
Test Cases
procdump.exe -ma lsass.exe lsass_dump
Data Model Mappings
Elements from the CAR data model that are required for this analytic. This is required.
Developer Certificate of Origin
DCO signed-off-by: Tony M Lambert tony.lambert@redcanary.com