-
-
Notifications
You must be signed in to change notification settings - Fork 214
Expand file tree
/
Copy pathcredential_access_potential_lsa_secrets_registry_dumping.yml
More file actions
54 lines (51 loc) · 1.72 KB
/
credential_access_potential_lsa_secrets_registry_dumping.yml
File metadata and controls
54 lines (51 loc) · 1.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
name: Potential LSA secrets registry dumping
id: e5e95cbe-c8ab-418c-abe3-539d70a0b0af
version: 1.0.0
description: |
Identifies potential dumping of LSA secrets by suspicious processes that access
sensitive SECURITY registry hives associated with cached credentials and LSA secret
storage.
This behavior is commonly observed in credential dumping utilities attempting to
extract plaintext secrets, service credentials, or cached domain credentials from
the Local Security Authority.
labels:
tactic.id: TA0006
tactic.name: Credential Access
tactic.ref: https://attack.mitre.org/tactics/TA0006/
technique.id: T1003
technique.name: OS Credential Dumping
technique.ref: https://attack.mitre.org/techniques/T1003/
subtechnique.id: T1003.004
subtechnique.name: LSA secrets
subtechnique.ref: https://attack.mitre.org/techniques/T1003/004/
references:
- https://github.com/almounah/silp
condition: >
sequence
maxspan 10m
by ps.uuid
|spawn_process and
ps.token.integrity_level not in ('LOW', 'MEDIUM') and
ps.exe not imatches
(
'?:\\Windows\\regedit.exe',
'?:\\Program Files\\*',
'?:\\Program Files (x86)\\*',
'?:\\Windows\\System32\\lsass.exe'
)
|
|open_registry and
registry.path imatches
(
'HKEY_LOCAL_MACHINE\\SECURITY\\CACHE\\*',
'HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\\*'
) and
registry.path not imatches
(
'HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\\$MACHINE.ACC\\CupdTime\\*'
)
|
action:
- name: kill
severity: critical
min-engine-version: 3.0.0