Try in Splunk Security Cloud

Description

This search detects the memory of lsass.exe being dumped for offline credential theft attack.

  • Type: TTP
  • Product: Splunk Behavioral Analytics
  • Datamodel:
  • Last Updated: 2020-09-15
  • Author: Jose Hernandez, Splunk
  • ID: 76bb9e35-f314-4c3d-a385-83c72a13ce4e

ATT&CK

ID Technique Tactic
T1003.003 NTDS Credential Access

| from read_ssa_enriched_events() 
| eval tenant=ucast(map_get(input_event, "_tenant"), "string", null), machine=ucast(map_get(input_event, "dest_device_id"), "string", null), process_name=lower(ucast(map_get(input_event, "process_name"), "string", null)), timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), process=lower(ucast(map_get(input_event, "process"), "string", null)), event_id=ucast(map_get(input_event, "event_id"), "string", null) 
| where process_name LIKE "%rundll32.exe%" AND match_regex(process, /(?i)comsvcs.dll[,\s]+MiniDump/)=true 
| eval start_time = timestamp, end_time = timestamp, entities = mvappend(machine), body=create_map(["event_id", event_id, "process_name", process_name, "process", process]) 
| into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting endpoint data that tracks process activity, including Windows command line logging. You can see how we test this with Event Code 4688 on the attack_range.

Required field

  • process_name
  • _tenant
  • _time
  • dest_device_id
  • process

Kill Chain Phase

  • Actions on Objectives

Known False Positives

None identified.

RBA

Risk Score Impact Confidence Message
70.0 70 100 Malicious actor is dumping encoded credentials via Microsoft's native comsvc DLL. Operation is performed at the device $dest_device_id$, by the account $dest_user_id$ via command $cmd_line$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1