ID | Technique | Tactic |
---|---|---|
T1003.001 | LSASS Memory | Credential Access |
Detection: Dump LSASS via procdump Rename
DEPRECATED DETECTION
This detection has been marked as deprecated by the Splunk Threat Research team. This means that it will no longer be maintained or supported. If you have any questions or concerns, please reach out to us at research@splunk.com.
Description
Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. Modify the query as needed. During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.
Search
1`sysmon` OriginalFileName=procdump process_name!=procdump*.exe EventID=1 (CommandLine=*-ma* OR CommandLine=*-mm*) CommandLine=*lsass*
2| stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, process_name, OriginalFileName, CommandLine
3| `security_content_ctime(firstTime)`
4| `security_content_ctime(lastTime)`
5| `dump_lsass_via_procdump_rename_filter`
Data Source
Name | Platform | Sourcetype | Source |
---|---|---|---|
Sysmon EventID 1 | Windows | 'xmlwineventlog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
Macros Used
Name | Value |
---|---|
security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
dump_lsass_via_procdump_rename_filter | search * |
dump_lsass_via_procdump_rename_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Risk Event | False |
Implementation
To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the Endpoint
datamodel in the Processes
node.
Known False Positives
None identified.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$, attempting to dump lsass.exe. | 80 | 80 | 100 |
References
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | Not Applicable | N/A | N/A | N/A |
Unit | ❌ Failing | N/A | N/A |
N/A |
Integration | ❌ Failing | N/A | N/A |
N/A |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 3