forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathaccess_lsass_memory_for_dump_creation.yml
More file actions
88 lines (88 loc) · 3.33 KB
/
access_lsass_memory_for_dump_creation.yml
File metadata and controls
88 lines (88 loc) · 3.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
asset_type: Windows
confidence: high
creation_date: '2019-12-06'
data_metadata:
data_eventtypes:
- wineventlog_sysmon
data_source:
- Windows Event Logs
providing_technologies:
- Microsoft Windows
description: Detect memory dumping of the LSASS process.
detect:
splunk:
correlation_rule:
notable:
nes_fields: dest
rule_description: Possible attempt at credential dumping was detected on $dest$.
rule_title: LSASS memory dump detected on $dest$.
risk:
risk_object: dest
risk_object_type:
- system
risk_score: 70
macros:
- sysmon
- access_lsass_memory_for_dump_creation_filter
schedule:
cron_schedule: 0 * * * *
earliest_time: -70m@m
latest_time: -10m@m
search: '`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll*
| stats count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage, TargetProcessId, SourceImage, SourceProcessId
| rename Computer as dest
| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
| `access_lsass_memory_for_dump_creation_filter` '
suppress:
suppress_fields: dest
suppress_period: 86400s
eli5: dbgcore.dll is a specifc DLL for Windows core debugging. It is used to obtain a memory dump of a process.
This search detects the usage of this DLL for creating a memory dump of LSASS process. Memory dumps of the LSASS process
can be created with tools such as Windows Task Manager or procdump.
entities:
- dest
how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.
id: fb4c31b0-13e8-4155-8aa5-24de4b8d6717
investigations:
- id: 5de385bf-4f1e-404e-9b67-92d162ff8938ad
name: Investigate Previous Unseen User
type: splunk
- id: 097e8030-8662-4254-a735-bf0bdda696e3
name: Investigate Failed Logins for Multiple Destinations
type: splunk
- id: ed3fff45-cba6-4990-983f-6fac72bee659
name: Investigate Pass the Hash Attempts
type: splunk
- id: 990007ad-d798-4b29-ab2f-f0034144c937
name: Investigate Pass the Ticket Attempts
type: splunk
known_false_positives: Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.
maintainers:
- company: Splunk
email: pbareiss@splunk.com
name: Patrick Bareiss
mappings:
cis20:
- CIS 6
- CIS 8
kill_chain_phases:
- Actions on Objectives
mitre_attack:
- Credential Access
- Credential Dumping
mitre_technique_id:
- T1003
nist:
- DE.CM
modification_date: '2019-12-06'
name: Access LSASS Memory for Dump Creation
original_authors:
- company: Splunk
email: pbareiss@splunk.com
name: Patrick Bareiss
references:
- https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf
security_domain: endpoint
spec_version: 2
type: splunk
version: "1"