Updates (description, implementations, test cases) from #27

mitre-attack · Jul 31, 2019 · 48f30fd · 48f30fd
1 parent 22eed26
commit 48f30fd
Show file tree

Hide file tree

Showing 4 changed files with 90 additions and 31 deletions.
diff --git a/analytics/CAR-2019-07-002.yaml b/analytics/CAR-2019-07-002.yaml
@@ -7,38 +7,61 @@ subtypes:
 analytic_types:
   - TTP
 contributors:
-  - Kaushal Parikh
-  - Cyware Labs
+  - Kaushal Parikh/Cyware Labs
+  - Tony Lambert/Red Canary
   - MITRE
 id: CAR-2019-07-002
 description: |-
   [ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. 
 
-  Procdump is also used by attackers for malicious purposes such as dumping process memory from lsass and using this dump for credential harvesting. Tools like Mimikatz can be further used to parse/read the credentials from the procdump files of lsass.exe. 
+  ProcDump may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe as a privileged user with command line options indicating that lsass.exe should be dumped to a file with an arbitrary name.
 
-  This process of credential dumping as performed by an attacker consists of two steps.
-    1. Performing the procdump of the lsass process
-    2. Running tools like Mimikatz to get credentials from the dump
-  In this analytic we are trying to detect the first step of the above process.
-
-  Note - the CAR data model currently does not support process access actions, so there is no pseudocode implementation for this analytic.
+  Note - the CAR data model currently does not support process access actions, so the pseudocode implementation is based around process creates.
 coverage:
   - technique: T1003
     tactics:
       - TA0006
     coverage: Low
 implementations:
-  - name: Common Procdump Lsass Access Pattern
-    description: A Splunk search that looks for process access events that target lsass.exe.
+  - name: Procdump - Process Create
+    description: This base pseudocode looks for process create events where an instance of procdump is executed that references lsass in the command-line.
     code: |-
-      index=__your_sysmon_data__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" GrantedAccess="0x1FFFFF" ("procdump")
+      processes = search Process:Create
+      procdump_lsass = filter processes where (
+        exe = "procdump*.exe"  and
+        command_line = "*lsass*")
+      output procdump_lsass
+    type: Pseudocode
+  - name: Procdump - Process Create
+    description: A Splunk/Sysmon version of the above pseudocode.
+    code: |-
+      index=__your_sysmon_index__ EventCode=1 Image="*\\procdump*.exe" CommandLine="*lsass*"
     type: Splunk
-  - name: Common Procdump Lsass Access Pattern
-    description: 'An [EQL Version](https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html), similar to the above Splunk search, but one that looks for process create events around procdump that contain lsass in the command line.'
+    data_model: Sysmon native
+  - name: Procdump - Process Create
+    description: 'An [EQL Version](https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html) of the above pseudocode.'
     type: EQL
-  - name: Common Procdump Lsass Access Pattern
+  - name: Procdump - Process Access
+    description: A related Splunk search, which instead of looking for process create events looks for process access events that target lsass.exe.
+    code: |-
+      index=__your_sysmon_data__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" GrantedAccess="0x1FFFFF" ("procdump")
+    type: Splunk
+    data_model: Sysmon native
+  - name: Procdump - Process Access
     description: 'A [Sigma Version](https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_lsass_memdump.yml) of the above Splunk search, with some more stringent criteria around calltrace.'
     type: Sigma
+data_model_references:
+  - process/create/exe
+  - process/create/command_line
+unit_tests: 
+  - description: |-
+      1. Open a Windows Command Prompt or PowerShell instance.
+      2. Navigate to folder containing ProcDump.
+      3. Execute procdump.exe -ma lsass.exe lsass_dump
+
+
+
+
 
 
 

diff --git a/docs/analytics/CAR-2019-07-002/index.md b/docs/analytics/CAR-2019-07-002/index.md
@@ -5,51 +5,87 @@ submission_date: 2019/07/29
 information_domain: Host
 subtypes: Process
 analytic_type: TTP
-contributors: Kaushal Parikh, Cyware Labs, MITRE
+contributors: Kaushal Parikh/Cyware Labs, Tony Lambert/Red Canary, MITRE
 ---
 
 [ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. 
 
-Procdump is also used by attackers for malicious purposes such as dumping process memory from lsass and using this dump for credential harvesting. Tools like Mimikatz can be further used to parse/read the credentials from the procdump files of lsass.exe. 
+ProcDump may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe as a privileged user with command line options indicating that lsass.exe should be dumped to a file with an arbitrary name.
 
-This process of credential dumping as performed by an attacker consists of two steps.
-  1. Performing the procdump of the lsass process
-  2. Running tools like Mimikatz to get credentials from the dump
-In this analytic we are trying to detect the first step of the above process.
-
-Note - the CAR data model currently does not support process access actions, so there is no pseudocode implementation for this analytic.
+Note - the CAR data model currently does not support process access actions, so the pseudocode implementation is based around process creates.
 
 ## ATT&CK Detection
 
 |Technique |Tactic |Level of Coverage |
 |---|---|---|
 |[Credential Dumping](https://attack.mitre.org/techniques/T1003/)|[Credential Access](https://attack.mitre.org/tactics/TA0006/)|Low|
 
+## Data Model References
+
+|Object|Action|Field|
+|---|---|---|
+|[process](/data_model/process) | [create](/data_model/process#create) | [exe](/data_model/process#exe) |
+|[process](/data_model/process) | [create](/data_model/process#create) | [command_line](/data_model/process#command_line) |
+
 
 ## Implementations
 
-### Common Procdump Lsass Access Pattern (Splunk)
+### Procdump - Process Create (Pseudocode)
 
 
-A Splunk search that looks for process access events that target lsass.exe.
+This base pseudocode looks for process create events where an instance of procdump is executed that references lsass in the command-line.
 
 
 ```
-index=__your_sysmon_data__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" GrantedAccess="0x1FFFFF" ("procdump")
+processes = search Process:Create
+procdump_lsass = filter processes where (
+  exe = "procdump*.exe"  and
+  command_line = "*lsass*")
+output procdump_lsass
+```
+
+
+### Procdump - Process Create (Splunk, Sysmon native)
+
+
+A Splunk/Sysmon version of the above pseudocode.
+
+
+```
+index=__your_sysmon_index__ EventCode=1 Image="*\\procdump*.exe" CommandLine="*lsass*"
 ```
 
 
-### Common Procdump Lsass Access Pattern (Eql)
+### Procdump - Process Create (Eql)
 
 
-An [EQL Version](https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html), similar to the above Splunk search, but one that looks for process create events around procdump that contain lsass in the command line.
+An [EQL Version](https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html) of the above pseudocode.
 
 
 
-### Common Procdump Lsass Access Pattern (Sigma)
+### Procdump - Process Access (Splunk, Sysmon native)
+
+
+A related Splunk search, which instead of looking for process create events looks for process access events that target lsass.exe.
+
+
+```
+index=__your_sysmon_data__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" GrantedAccess="0x1FFFFF" ("procdump")
+```
+
+
+### Procdump - Process Access (Sigma)
 
 
 A [Sigma Version](https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_lsass_memdump.yml) of the above Splunk search, with some more stringent criteria around calltrace.
 
 
 
+
+## Unit Tests
+
+### Test Case 1
+
+1. Open a Windows Command Prompt or PowerShell instance.
+2. Navigate to folder containing ProcDump.
+3. Execute procdump.exe -ma lsass.exe lsass_dump
diff --git a/docs/analytics/index.md b/docs/analytics/index.md
@@ -56,4 +56,4 @@ permalink: /analytics/
 |[CAR-2019-04-003: Squiblydoo](CAR-2019-04-003)|[Regsvr32](https://attack.mitre.org/techniques/T1117/)|Eql, Psuedocode, Splunk|
 |[CAR-2019-04-004: Credential Dumping via Mimikatz](CAR-2019-04-004)|[Credential Dumping](https://attack.mitre.org/techniques/T1003/)|Splunk|
 |[CAR-2019-07-001: Access Permission Modification](CAR-2019-07-001)|[File Permissions Modification](https://attack.mitre.org/techniques/T1222/)|Pseudocode, Splunk|
-|[CAR-2019-07-002: Lsass Process Dump via Procdump](CAR-2019-07-002)|[Credential Dumping](https://attack.mitre.org/techniques/T1003/)|Eql, Sigma, Splunk|
+|[CAR-2019-07-002: Lsass Process Dump via Procdump](CAR-2019-07-002)|[Credential Dumping](https://attack.mitre.org/techniques/T1003/)|Eql, Pseudocode, Sigma, Splunk|