-
-
Notifications
You must be signed in to change notification settings - Fork 214
Expand file tree
/
Copy pathcredential_access_lsass_memory_dump_via_minidumpwritedump.yml
More file actions
33 lines (30 loc) · 1.32 KB
/
credential_access_lsass_memory_dump_via_minidumpwritedump.yml
File metadata and controls
33 lines (30 loc) · 1.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
name: LSASS memory dump via MiniDumpWriteDump
id: fd7ced77-4a95-4658-80f6-6b9d7b5e3777
version: 1.0.2
description: |
Identifies access to the Local Security Authority Subsystem Service (LSASS) process to dump the
memory via MiniDumpWriteDump API.
labels:
tactic.id: TA0006
tactic.name: Credential Access
tactic.ref: https://attack.mitre.org/tactics/TA0006/
technique.id: T1003
technique.name: OS Credential Dumping
technique.ref: https://attack.mitre.org/techniques/T1003/
subtechnique.id: T1003.001
subtechnique.name: LSASS Memory
subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/
references:
- https://redcanary.com/threat-detection-report/techniques/lsass-memory/
- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
condition: >
((open_process) or (open_thread)) and
evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and
(thread.callstack.modules imatches ('*dbgcore.dll', '*comsvcs.dll') or thread.callstack.symbols imatches ('*MiniDumpWriteDump'))
action:
- name: kill
output: >
LSASS memory dump attempt by process %ps.exe via MiniDumpWriteDump
severity: high
min-engine-version: 3.0.0