Windows OS Credential Dumping with Procdump

Try in Splunk Security Cloud

Description

Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (original_file_name=procdump) of the PE or look for procdump64.exe. Modify the query as needed.
During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.

• Type: TTP

• Product: Splunk Behavioral Analytics

• Last Updated: 2022-08-31
• Author: Michael Haag, Splunk
• ID: e102e297-dbe6-4a19-b319-5c08f4c19a06

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1003.001	LSASS Memory	Credential Access

T1003

OS Credential Dumping

Credential Access

Kill Chain Phase

• Exploitation

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

 $main = from source  
| eval timestamp = time  
| eval metadata_uid = metadata.uid  
| eval process_pid = process.pid 
| eval process_file = process.file 
| eval process_file_path = process_file.path 
| eval process_file_name = lower(process_file.name) 
| eval process_cmd_line = process.cmd_line 
| eval actor_user = actor.user 
| eval actor_user_name = actor_user.name 
| eval actor_process = actor.process 
| eval actor_process_pid = actor_process.pid 
| eval actor_process_file = actor_process.file 
| eval actor_process_file_path = actor_process_file.path 
| eval actor_process_file_name = actor_process_file.name 
| eval device_hostname = device.hostname 
| where ((process_cmd_line LIKE "%-ma %" OR process_cmd_line LIKE "%-mm %") AND (process_file_name IN ("procdump64.exe", "procdump.exe"))) AND process_cmd_line LIKE "%lsass%" --finding_report--

Macros

The SPL above uses the following Macros:

windows_os_credential_dumping_with_procdump_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• process.pid
• process.file.path
• process.file.name
• process.cmd_line
• actor.user.name
• actor.process.pid
• actor.process.file.path
• actor.process.file.name
• device.hostname

How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Known False Positives

None identified.

Associated Analytic Story

• Credential Dumping
• HAFNIUM Group

RBA

Risk Score	Impact	Confidence	Message
80.0	80	100	Procdump was utilized to dump lsass on $dest_device_id$ by $dest_user_id$.

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://attack.mitre.org/techniques/T1003/001/
• https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
• https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-2—dump-lsassexe-memory-using-procdump
• https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 5