Windows OS Credential Dumping with Procdump
Description
Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (original_file_name=procdump) of the PE or look for procdump64.exe. Modify the query as needed.
During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.
- Type: TTP
-
Product: Splunk Behavioral Analytics
- Last Updated: 2022-08-31
- Author: Michael Haag, Splunk
- ID: e102e297-dbe6-4a19-b319-5c08f4c19a06
Annotations
ATT&CK
Kill Chain Phase
- Exploitation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$main = from source
| eval timestamp = time
| eval metadata_uid = metadata.uid
| eval process_pid = process.pid
| eval process_file = process.file
| eval process_file_path = process_file.path
| eval process_file_name = lower(process_file.name)
| eval process_cmd_line = process.cmd_line
| eval actor_user = actor.user
| eval actor_user_name = actor_user.name
| eval actor_process = actor.process
| eval actor_process_pid = actor_process.pid
| eval actor_process_file = actor_process.file
| eval actor_process_file_path = actor_process_file.path
| eval actor_process_file_name = actor_process_file.name
| eval device_hostname = device.hostname
| where ((process_cmd_line LIKE "%-ma %" OR process_cmd_line LIKE "%-mm %") AND (process_file_name IN ("procdump64.exe", "procdump.exe"))) AND process_cmd_line LIKE "%lsass%" --finding_report--
Macros
The SPL above uses the following Macros:
windows_os_credential_dumping_with_procdump_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- process.pid
- process.file.path
- process.file.name
- process.cmd_line
- actor.user.name
- actor.process.pid
- actor.process.file.path
- actor.process.file.name
- device.hostname
How To Implement
To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
Known False Positives
None identified.
Associated Analytic Story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 80.0 | 80 | 100 | Procdump was utilized to dump lsass on $dest_device_id$ by $dest_user_id$. |
Reference
- https://attack.mitre.org/techniques/T1003/001/
- https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-2—dump-lsassexe-memory-using-procdump
- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 5