Credential Dumping via Task Manager
ForensicITGuy opened this issue · comments
Credential Dumping via Windows Task Manager
The Windows Task Manager may be used to dump the memory space of lsass.exe
to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting lsass.exe
, and clicking "Create dump file". This saves a dump file to disk with the process's name in the file name.
This requires filesystem data to determine whether files have been created.
ATT&CK Coverage
Technique | Level of Coverage |
---|---|
Credential Dumping | Moderate |
Analytic Code
The code for this analytic. CAR pseudocode is preferred, but any search syntax is fine. At least one type of code is required but more are encouraged (e.g. both pseudocode and a Splunk search).
Pseudocode
files = search File:Create
lsass_dump = filter files where (
file_name = "lsass*.dmp" and
image_path = "C:\Windows\*\taskmgr.exe")
Splunk, Sysmon native
index=__your_sysmon_index__ EventCode=11 TargetFilename="*lsass*.dmp" Image="C:\\Windows\\*\\taskmgr.exe"
EQL
file where file_name == "lsass*.dmp" and process_name == "taskmgr.exe"
Test Cases
- Open Windows Task Manager as Administrator
- Select
lsass.exe
- Right-click on
lsass.exe
and select "Create dump file".
Data Model Mappings
Elements from the CAR data model that are required for this analytic. This is required.
Object | Action | Field |
---|---|---|
file | create | file_name |
file | create | file_name |
Developer Certificate of Origin
DCO signed-off-by: Tony M Lambert tony.lambert@redcanary.com
@ForensicITGuy thanks for the contribution - it's especially great that you included multiple implementations :)
A few questions:
- What would classify the "type" of this analytic (see https://car.mitre.org/Glossary)? I would assume that it's TTP?
- Is the file name created by the task manager dump deterministic (i.e., will it always have
lsass
in the name)?
Hey @ikiril01 That would be correct, it would be a TTP.
For the second question, there's no place to specify the file name with Task Manager, it should always be deterministic such as lsass.dmp
, lsass (1).dmp
and so on.
Added this in a PR - #32. Thanks again for the submission!