diff --git a/rules/credential_access_lsass_memory_dumping.yml b/rules/credential_access_potential_lsass_memory_dump.yml similarity index 55% rename from rules/credential_access_lsass_memory_dumping.yml rename to rules/credential_access_potential_lsass_memory_dump.yml index f3f0153f4..4aa5ca6af 100644 --- a/rules/credential_access_lsass_memory_dumping.yml +++ b/rules/credential_access_potential_lsass_memory_dump.yml @@ -1,10 +1,13 @@ -name: LSASS memory dumping via legitimate or offensive tools +name: Potential LSASS memory dump id: 335795af-246b-483e-8657-09a30c102e63 -version: 1.2.1 +version: 2.0.0 description: | - Detects an attempt to dump the LSAAS memory to the disk by employing legitimate - tools such as procdump, Task Manager, Process Explorer or built-in Windows tools - such as comsvcs.dll. + Detects attempts to dump the LSASS process memory to disk for credential + extraction. LSASS (Local Security Authority Subsystem Service) stores + credential material in its process memory including NTLM hashes, Kerberos + tickets. Adversaries who obtain a full or mini memory dump of LSASS process + can extract these credentials offline using tools such as Mimikatz, pypykatz, + or Volatility. labels: tactic.id: TA0006 tactic.name: Credential Access @@ -29,24 +32,18 @@ condition: > ps.exe not imatches ( '?:\\Windows\\System32\\svchost.exe', + '?:\\Windows\\System32\\csrss.exe', + '?:\\Windows\\System32\\lsm.exe', + '?:\\Windows\\system32\\MRT.exe', + '?:\\Windows\\System32\\wininit.exe', + '?:\\Windows\\System32\\services.exe', '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe' ) | - |create_new_file and - file.path not imatches - ( - '?:\\$WinREAgent\\Scratch\\*', - '?:\\Windows\\WinSxS\\*', - '?:\\Windows\\CbsTemp\\*', - '?:\\Windows\\SoftwareDistribution\\*' - ) and - (file.extension iin ('.dmp', '.mdmp', '.dump') or is_minidump(file.path)) - | + |create_file and file.extension iin ('.dmp', '.mdmp', '.dump')| output: > - Detected an attempt by `%1.ps.name` process to access and read - the memory of the **Local Security And Authority Subsystem Service** - and subsequently write the `%2.file.path` dump file to the disk device + Detected LSASS access by process %1.ps.exe and subsequent dump file %2file.path creation severity: critical min-engine-version: 3.0.0