Potential Credential Dumping Via WER - Application

 1title: Potential Credential Dumping Via WER - Application
 2id: a18e0862-127b-43ca-be12-1a542c75c7c5
 3status: test
 4description: Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential
 5references:
 6    - https://github.com/deepinstinct/Lsass-Shtinkering
 7    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
 8    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-12-07
11tags:
12    - attack.credential-access
13    - attack.t1003.001
14logsource:
15    product: windows
16    service: application
17detection:
18    selection:
19        Provider_Name: 'Application Error'
20        EventID: 1000
21        AppName: 'lsass.exe'
22        ExceptionCode: 'c0000001' # STATUS_UNSUCCESSFUL
23    condition: selection
24falsepositives:
25    - Rare legitimate crashing of the lsass process
26level: high

References

• GitHub - deepinstinct/Lsass-Shtinkering

  

  Contribute to deepinstinct/Lsass-Shtinkering development by creating an account on GitHub.

  
  Read More

• ×¼®Ý´INN6Í<½üÒ³fäyNJ¶ìE.Ó$ææ78ÜtôDFU½ƒddþÆà:*:0kvàÌ|·±ãy"ÖU•bØ€ÉÃþ&{‚ŠÆM#¹ö#0Õötwƒ'ªÕee¥¥ù%%Ú(*†˜SXAxBÞœ9¹yy÷Â6¨YÔ´ãdÏïϽµõÄ©ª…‹ŒýuôÜwßœûígO^¹Ô¸aCå’%š…�óêê!ʪª J5pù¬�ÒRˆÈŠ1ÅÅ...

  
  Read More

• [MS-ERREF]: NTSTATUS Values

  

  By combining the NTSTATUS into a single 32-bit numbering space, the following NTSTATUS values are defined. Most values

  
  Read More

Related rules

• APT31 Judgement Panda Activity
• Cred Dump Tools Dropped Files
• Credential Dumping Activity By Python Based Tool
• Credential Dumping Attempt Via WerFault
• Credential Dumping Tools Service Execution - Security