Full User-Mode Dumps Enabled System-Wide

  1[metadata]
  2creation_date = "2022/08/28"
  3integration = ["endpoint", "windows", "m365_defender"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the enable of the full user-mode dumps feature system-wide. This feature allows Windows Error Reporting (WER)
 11to collect data after an application crashes. This setting is a requirement for the LSASS Shtinkering attack, which
 12fakes the communication of a crash on LSASS, generating a dump of the process memory, which gives the attacker access to
 13the credentials present on the system without having to bring malware to the system. This setting is not enabled by
 14default, and applications must create their registry subkeys to hold settings that enable them to collect dumps.
 15"""
 16from = "now-9m"
 17index = [
 18    "winlogbeat-*",
 19    "logs-endpoint.events.registry-*",
 20    "logs-windows.sysmon_operational-*",
 21    "endgame-*",
 22    "logs-m365_defender.event-*",
 23]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "Full User-Mode Dumps Enabled System-Wide"
 27note = """## Triage and analysis
 28
 29> **Disclaimer**:
 30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 31
 32### Investigating Full User-Mode Dumps Enabled System-Wide
 33
 34Full user-mode dumps are a diagnostic feature in Windows that captures detailed information about application crashes, aiding in troubleshooting. However, attackers can exploit this by triggering dumps of sensitive processes like LSASS to extract credentials. The detection rule identifies registry changes enabling this feature system-wide, flagging potential misuse by excluding legitimate system processes, thus alerting analysts to suspicious activity.
 35
 36### Possible investigation steps
 37
 38- Review the registry path HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType to confirm if the value is set to "2" or "0x00000002", indicating full user-mode dumps are enabled.
 39- Check for any recent changes to the registry key by examining the modification timestamps and identifying the user or process responsible for the change.
 40- Investigate the context of the alert by reviewing recent process execution logs to identify any suspicious processes that may have triggered the dump, especially those not matching the legitimate svchost.exe process with user IDs S-1-5-18, S-1-5-19, or S-1-5-20.
 41- Analyze any generated dump files for sensitive information, such as credentials, and determine if they were accessed or exfiltrated by unauthorized users or processes.
 42- Correlate the alert with other security events or logs, such as Sysmon or Microsoft Defender for Endpoint, to identify any related suspicious activities or patterns that could indicate a broader attack.
 43
 44### False positive analysis
 45
 46- Legitimate system processes like svchost.exe may trigger the rule if they are not properly excluded. Ensure that the exclusion for svchost.exe is correctly configured by verifying the process executable path and user IDs.
 47- Custom applications that require full user-mode dumps for legitimate debugging purposes might be flagged. Identify these applications and create specific registry subkey exclusions to prevent false positives.
 48- System administrators performing routine maintenance or diagnostics might enable full user-mode dumps temporarily. Document these activities and consider creating temporary exceptions during maintenance windows.
 49- Security tools or monitoring software that simulate crash scenarios for testing purposes could trigger the rule. Verify the legitimacy of these tools and add them to an exclusion list if they are part of regular security operations.
 50- Updates or patches from software vendors that modify registry settings for error reporting might be misinterpreted as suspicious. Monitor update schedules and correlate any rule triggers with known update activities to avoid unnecessary alerts.
 51
 52### Response and remediation
 53
 54- Immediately isolate the affected system from the network to prevent further credential access or lateral movement by the attacker.
 55- Terminate any unauthorized processes that are generating full user-mode dumps, especially those related to LSASS, to stop further credential dumping.
 56- Conduct a thorough review of the registry settings on the affected system to ensure that the full user-mode dumps feature is disabled unless explicitly required for legitimate purposes.
 57- Change all credentials that may have been exposed, particularly those associated with high-privilege accounts, to mitigate the risk of unauthorized access.
 58- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 59- Implement enhanced monitoring and alerting for similar registry changes across the network to detect and respond to future attempts promptly.
 60- Review and update endpoint protection configurations to ensure they are capable of detecting and blocking similar credential dumping techniques."""
 61references = [
 62    "https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps",
 63    "https://github.com/deepinstinct/Lsass-Shtinkering",
 64    "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf",
 65]
 66risk_score = 47
 67rule_id = "220be143-5c67-4fdb-b6ce-dd6826d024fd"
 68severity = "medium"
 69tags = [
 70    "Domain: Endpoint",
 71    "OS: Windows",
 72    "Use Case: Threat Detection",
 73    "Tactic: Credential Access",
 74    "Data Source: Elastic Defend",
 75    "Data Source: Elastic Endgame",
 76    "Data Source: Sysmon",
 77    "Data Source: Microsoft Defender for Endpoint",
 78    "Resources: Investigation Guide",
 79]
 80timestamp_override = "event.ingested"
 81type = "eql"
 82
 83query = '''
 84registry where host.os.type == "windows" and
 85    registry.path : (
 86        "HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType",
 87        "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType"
 88    ) and
 89    registry.data.strings : ("2", "0x00000002") and
 90    not (process.executable : "?:\\Windows\\system32\\svchost.exe" and user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20"))
 91'''
 92
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96[[rule.threat.technique]]
 97id = "T1003"
 98name = "OS Credential Dumping"
 99reference = "https://attack.mitre.org/techniques/T1003/"
100[[rule.threat.technique.subtechnique]]
101id = "T1003.001"
102name = "LSASS Memory"
103reference = "https://attack.mitre.org/techniques/T1003/001/"
104
105
106
107[rule.threat.tactic]
108id = "TA0006"
109name = "Credential Access"
110reference = "https://attack.mitre.org/tactics/TA0006/"
111[[rule.threat]]
112framework = "MITRE ATT&CK"
113[[rule.threat.technique]]
114id = "T1112"
115name = "Modify Registry"
116reference = "https://attack.mitre.org/techniques/T1112/"
117
118
119[rule.threat.tactic]
120id = "TA0005"
121name = "Defense Evasion"
122reference = "https://attack.mitre.org/tactics/TA0005/"