forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathcred_dump_via_copy_from_shadowcopy.yml
More file actions
90 lines (90 loc) · 3.39 KB
/
cred_dump_via_copy_from_shadowcopy.yml
File metadata and controls
90 lines (90 loc) · 3.39 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
asset_type: Endpoint
confidence: high
creation_date: '2019-12-10'
data_metadata:
data_models:
- Endpoint
data_source:
- Endpoint Intel
providing_technologies:
- Sysmon
description: This search detects credential dumping using copy command from a shadow copy.
detect:
splunk:
correlation_rule:
notable:
nes_fields: user, dest, process_name, process
rule_description: credential dumping using copy command was detected on $dest$.
rule_title: Attempted Credential Dump using copy command from $user$
risk:
risk_object: user
risk_object_type:
- user
risk_score: 40
macros:
- cred_dump_via_copy_from_shadowcopy_filter
schedule:
cron_schedule: 0 * * * *
earliest_time: -70m@m
latest_time: -10m@m
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
where Processes.process_name=cmd.exe (Processes.process=*\\system32\\config\\sam* OR Processes.process=*\\system32\\config\\security* OR Processes.process=*\\system32\\config\\system* OR Processes.process=*\\windows\\ntds\\ntds.dit*)
by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
| `cred_dump_via_copy_from_shadowcopy_filter`'
suppress:
suppress_fields: user, dest, process
suppress_period: 86400s
eli5: The file system, security, sam and ntds.dit containing sensitive credentials. Normally, the files can't be easily copied.
But it is possible by creating first a shadow copy and then copy it from the shadow copy. This search will detect this attack of
credential dumping.
entities:
- dest
how_to_implement: You must be ingesting endpoint data that tracks process activity,
including parent-child relationships from your endpoints to populate the Endpoint
data model in the Processes node. The command-line arguments are mapped to the "process"
field in the Endpoint data model.
id: d8c406fe-23d2-45f3-a983-1abe7b83ff3b
investigations:
- id: 5de385bf-4f1e-404e-9b67-92d162ff8938ad
name: Investigate Previous Unseen User
type: splunk
- id: 097e8030-8662-4254-a735-bf0bdda696e3
name: Investigate Failed Logins for Multiple Destinations
type: splunk
- id: ed3fff45-cba6-4990-983f-6fac72bee659
name: Investigate Pass the Hash Attempts
type: splunk
- id: 990007ad-d798-4b29-ab2f-f0034144c937
name: Investigate Pass the Ticket Attempts
type: splunk
known_false_positives: unknown
maintainers:
- company: Splunk
email: pbareiss@splunk.com
name: Patrick Bareiss
mappings:
cis20:
- CIS 8
- CIS 16
kill_chain_phases:
- Actions on Objectives
mitre_attack:
- Credential Access
- Credential Dumping
mitre_technique_id:
- T1003
nist:
- DE.CM
modification_date: '2019-12-10'
name: Credential Dumping via Copy Command from Shadow Copy
original_authors:
- company: Splunk
email: pbareiss@splunk.com
name: Patrick Bareiss
references:
- https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf
security_domain: endpoint
spec_version: 2
type: splunk
version: '1.0'