T1003.001 Update

Author: MHaggis

detections/endpoint/windows_possible_credential_dumping.yml

@@ -1,7 +1,7 @@
 name: Windows Possible Credential Dumping
 id: e4723b92-7266-11ec-af45-acde48001122
-version: 2
-date: '2022-01-27'
+version: 3
+date: '2022-08-24'
 author: Michael Haag, Splunk
 type: TTP
 datamodel: []
@@ -23,12 +23,8 @@ description: 'The following analytic is an enhanced version of two previous anal
   The idea behind using ntdll.dll is to blend in by using native api of ntdll.dll.
   For example in sekurlsa module there are many ntdll exported api, like RtlCopyMemory,
   used to execute this module which is related to lsass dumping.'
-search: '`sysmon` EventCode=10 TargetImage=*lsass.exe GrantedAccess IN ("0x01000",
-  "0x1010", "0x1038", "0x40", "0x1400", "0x1fffff", "0x1410", "0x143a", "0x1438",
-  "0x1000") CallTrace IN ("*dbgcore.dll*", "*dbghelp.dll*", "*ntdll.dll*") | stats
-  count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage, GrantedAccess,
-  SourceImage, SourceProcessId, SourceUser, TargetUser | rename Computer as dest |
-  `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_possible_credential_dumping_filter`'
+search: '`sysmon` EventCode=10 TargetImage=*\\lsass.exe GrantedAccess IN ("0x01000", "0x1010", "0x1038", "0x40", "0x1400", "0x1fffff", "0x1410", "0x143a", "0x1438", "0x1000") CallTrace IN ("*dbgcore.dll*", "*dbghelp.dll*", "*ntdll.dll*", "*kernelbase.dll*") NOT SourceUser IN ("NT AUTHORITY\\SYSTEM", "NT AUTHORITY\\NETWORK SERVICE")| stats count min(_time) as firstTime max(_time) as lastTime by, Computer, SourceImage, GrantedAccess, TargetImage, SourceProcessId, SourceUser, TargetUser | rename Computer as dest | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`
+  | `windows_possible_credential_dumping_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the process name, parent process, and command-line executions from your
   endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the
@@ -42,6 +38,7 @@ references:
 - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
 - https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
 - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN
+- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1003.001_DumpLSASS/DumpLSASS.ps1
 tags:
   analytic_story:
   - Credential Dumping

lookups/hijacklibs.csv

@@ -5,13 +5,16 @@ hha.dll,TRUE
 aclui.dll,TRUE
 xwtpw32.dll,TRUE
 xwizards.dll,TRUE
+xpsservices.dll,TRUE
 xolehlp.dll,TRUE
 xmllite.dll,TRUE
 wwapi.dll,TRUE
 wwancfg.dll,TRUE
 wtsapi32.dll,TRUE
+wsmsvc.dll,TRUE
 wshelper.dll,TRUE
 wshbth.dll,TRUE
+wscapi.dll,TRUE
 wpdshext.dll,TRUE
 wofutil.dll,TRUE
 wmsgapi.dll,TRUE
@@ -25,8 +28,10 @@ wlbsctrl.dll,TRUE
 wlancfg.dll,TRUE
 wlanapi.dll,TRUE
 wkscli.dll,TRUE
+winsync.dll,TRUE
 winsta.dll,TRUE
 winsqlite3.dll,TRUE
+winscard.dll,TRUE
 winrnr.dll,TRUE
 winnsi.dll,TRUE
 winmm.dll,TRUE
@@ -38,9 +43,11 @@ windowsudk.shellcommon.dll,TRUE
 windowsperformancerecordercontrol.dll,TRUE
 windowscodecsext.dll,TRUE
 windowscodecs.dll,TRUE
+windows.ui.immersive.dll,TRUE
 windows.storage.search.dll,TRUE
 windows.storage.dll,TRUE
 winbrand.dll,TRUE
+winbio.dll,TRUE
 wimgapi.dll,TRUE
 whhelper.dll,TRUE
 wevtapi.dll,TRUE
@@ -56,13 +63,18 @@ wbemprox.dll,TRUE
 vsstrace.dll,TRUE
 vssapi.dll,TRUE
 virtdisk.dll,TRUE
+version.dll,TRUE
+vdsutil.dll,TRUE
 vaultcli.dll,TRUE
 uxtheme.dll,TRUE
 uxinit.dll,TRUE
 utildll.dll,TRUE
 userenv.dll,TRUE
+urlmon.dll,TRUE
 upshared.dll,TRUE
 updatepolicy.dll,TRUE
+unattend.dll,TRUE
+umpdc.dll,TRUE
 uiribbon.dll,TRUE
 uireng.dll,TRUE
 uiautomationcore.dll,TRUE
@@ -73,6 +85,7 @@ twext.dll,TRUE
 ttdrecord.dll,TRUE
 tsworkspace.dll,TRUE
 tquery.dll,TRUE
+tpmcoreprovisioning.dll,TRUE
 timesync.dll,TRUE
 tdh.dll,TRUE
 tbs.dll,TRUE
@@ -87,14 +100,17 @@ ssp_isv.exe_rsaenh.dll,TRUE
 ssp.exe_rsaenh.dll,TRUE
 srvcli.dll,TRUE
 srpapi.dll,TRUE
+srmtrace.dll,TRUE
 srcore.dll,TRUE
 srclient.dll,TRUE
+sppcext.dll,TRUE
 sppc.dll,TRUE
 spp.dll,TRUE
 spectrumsyncclient.dll,TRUE
 snmpapi.dll,TRUE
 slc.dll,TRUE
 shell32.dll,TRUE
+security.dll,TRUE
 secur32.dll,TRUE
 schedcli.dll,TRUE
 scecli.dll,TRUE
@@ -116,16 +132,24 @@ reagent.dll,TRUE
 rasmontr.dll,TRUE
 rasman.dll,TRUE
 rasgcw.dll,TRUE
+rasdlg.dll,TRUE
 rasapi32.dll,TRUE
 radcui.dll,TRUE
 puiapi.dll,TRUE
 prvdmofcomp.dll,TRUE
+proximityservicepal.dll,TRUE
+proximitycommon.dll,TRUE
 propsys.dll,TRUE
+profapi.dll,TRUE
+prntvpt.dll,TRUE
 printui.dll,TRUE
+powrprof.dll,TRUE
 polstore.dll,TRUE
 policymanager.dll,TRUE
 pnrpnsp.dll,TRUE
+playsndsrv.dll,TRUE
 pla.dll,TRUE
+pkeyhelper.dll,TRUE
 peerdistsh.dll,TRUE
 pdh.dll,TRUE
 pcaui.dll,TRUE
@@ -135,6 +159,7 @@ p2p.dll,TRUE
 osuninst.dll,TRUE
 osksupport.dll,TRUE
 osbaseln.dll,TRUE
+opcservices.dll,TRUE
 onex.dll,TRUE
 omadmapi.dll,TRUE
 oleacc.dll,TRUE
@@ -157,19 +182,24 @@ netutils.dll,TRUE
 nettrace.dll,TRUE
 netshell.dll,TRUE
 netsetupapi.dll,TRUE
+netprovfw.dll,TRUE
 netprofm.dll,TRUE
 netplwiz.dll,TRUE
+netjoin.dll,TRUE
 netiohlp.dll,TRUE
 netid.dll,TRUE
+netapi32.dll,TRUE
 ndfapi.dll,TRUE
 ncrypt.dll,TRUE
 napinsp.dll,TRUE
 mtxclu.dll,TRUE
 msxml3.dll,TRUE
 mswsock.dll,TRUE
 mswb7.dll,TRUE
+msvcp110_win.dll,TRUE
 msutb.dll,TRUE
 mstracer.dll,TRUE
+msiso.dll,TRUE
 msi.dll,TRUE
 msftedit.dll,TRUE
 msdtctm.dll,TRUE
@@ -193,13 +223,17 @@ midimap.dll,TRUE
 mi.dll,TRUE
 mfplat.dll,TRUE
 mfcore.dll,TRUE
+mfc42u.dll,TRUE
 mdmdiagnostics.dll,TRUE
+mbaexmlparser.dll,TRUE
 mapistub.dll,TRUE
 maintenanceui.dll,TRUE
 magnification.dll,TRUE
+lrwizdll.dll,TRUE
 lpksetupproxyserv.dll,TRUE
 logoncontroller.dll,TRUE
 logoncli.dll,TRUE
+lockhostingframework.dll,TRUE
 loadperf.dll,TRUE
 linkinfo.dll,TRUE
 licensingdiagspp.dll,TRUE
@@ -208,21 +242,25 @@ ktmw32.dll,TRUE
 ksuser.dll,TRUE
 kdstub.dll,TRUE
 joinutil.dll,TRUE
+iumsdk.dll,TRUE
 iumbase.dll,TRUE
 isv.exe_rsaenh.dll,TRUE
 iscsium.dll,TRUE
 iscsidsc.dll,TRUE
 iri.dll,TRUE
 iphlpapi.dll,TRUE
 inproclogger.dll,TRUE
+ifsutil.dll,TRUE
 ifmon.dll,TRUE
 iertutil.dll,TRUE
 iedkcs32.dll,TRUE
 ieadvpack.dll,TRUE
 idstore.dll,TRUE
+icmp.dll,TRUE
 httpapi.dll,TRUE
 hnetmon.dll,TRUE
 hid.dll,TRUE
+gpapi.dll,TRUE
 getuname.dll,TRUE
 fxstiff.dll,TRUE
 fxsst.dll,TRUE
@@ -231,7 +269,10 @@ fwpuclnt.dll,TRUE
 fwpolicyiomgr.dll,TRUE
 fwcfg.dll,TRUE
 fwbase.dll,TRUE
+fvewiz.dll,TRUE
+fveskybackup.dll,TRUE
 fveapi.dll,TRUE
+framedynos.dll,TRUE
 fltlib.dll,TRUE
 flightsettings.dll,TRUE
 firewallapi.dll,TRUE
@@ -247,11 +288,13 @@ esent.dll,TRUE
 efsutil.dll,TRUE
 efsadu.dll,TRUE
 edputil.dll,TRUE
+edgeiso.dll,TRUE
 eappprxy.dll,TRUE
 eappcfg.dll,TRUE
 dynamoapi.dll,TRUE
 dxva2.dll,TRUE
 dxgi.dll,TRUE
+dxcore.dll,TRUE
 dwrite.dll,TRUE
 dwmcore.dll,TRUE
 dwmapi.dll,TRUE
@@ -260,8 +303,10 @@ duser.dll,TRUE
 dui70.dll,TRUE
 dsrole.dll,TRUE
 dsreg.dll,TRUE
+dsprop.dll,TRUE
 dsparse.dll,TRUE
 dsclient.dll,TRUE
+drvstore.dll,TRUE
 drprov.dll,TRUE
 dpx.dll,TRUE
 dot3cfg.dll,TRUE
@@ -274,6 +319,7 @@ dmoleaututils.dll,TRUE
 dmiso8601utils.dll,TRUE
 dmenterprisediagnostics.dll,TRUE
 dmenrollengine.dll,TRUE
+dmcommandlineutils.dll,TRUE
 dmcmnutils.dll,TRUE
 dmcfgutils.dll,TRUE
 dismcore.dll,TRUE
@@ -310,27 +356,35 @@ cscobj.dll,TRUE
 cscapi.dll,TRUE
 cryptxml.dll,TRUE
 cryptui.dll,TRUE
+cryptsp.dll,TRUE
 cryptdll.dll,TRUE
 cryptbase.dll,TRUE
 credui.dll,TRUE
+coreuicomponents.dll,TRUE
 coremessaging.dll,TRUE
+coredplus.dll,TRUE
 connect.dll,TRUE
+configmanager2.dll,TRUE
 comdlg32.dll,TRUE
 colorui.dll,TRUE
 coloradapterclient.dll,TRUE
+cmutil.dll,TRUE
 cmpbk32.dll,TRUE
 clusapi.dll,TRUE
 clipc.dll,TRUE
 cldapi.dll,TRUE
 certenroll.dll,TRUE
+certcli.dll,TRUE
 cabview.dll,TRUE
 cabinet.dll,TRUE
+bootux.dll,TRUE
 bootmenuux.dll,TRUE
 bderepair.dll,TRUE
 bcrypt.dll,TRUE
 bcp47mrm.dll,TRUE
 bcp47langs.dll,TRUE
 bcd.dll,TRUE
+batmeter.dll,TRUE
 avrt.dll,TRUE
 authz.dll,TRUE
 authfwcfg.dll,TRUE
@@ -340,9 +394,10 @@ atl.dll,TRUE
 archiveint.dll,TRUE
 appxdeploymentclient.dll,TRUE
 appxalluserstore.dll,TRUE
+appvpolicy.dll,TRUE
 applicationframe.dll,TRUE
 apphelp.dll,TRUE
-amsi.dll,TRUE
 aepic.dll,TRUE
 adsldpc.dll,TRUE
 activeds.dll,TRUE
+amsi.dll,TRUE