HackTool - Generic Process Access
Detects process access requests from hacktool processes based on their default image name
Sigma rule (View on GitHub)
1title: HackTool - Generic Process Access
2id: d0d2f720-d14f-448d-8242-51ff396a334e
3status: experimental
4description: Detects process access requests from hacktool processes based on their default image name
5references:
6 - https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158
7 - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
8author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
9date: 2023/11/27
10tags:
11 - attack.credential_access
12 - attack.t1003.001
13 - attack.s0002
14logsource:
15 category: process_access
16 product: windows
17detection:
18 selection:
19 - SourceImage|endswith:
20 - '\Akagi.exe'
21 - '\Akagi64.exe'
22 - '\atexec_windows.exe'
23 - '\Certify.exe'
24 - '\Certipy.exe'
25 - '\CoercedPotato.exe'
26 - '\crackmapexec.exe'
27 - '\CreateMiniDump.exe'
28 - '\dcomexec_windows.exe'
29 - '\dpapi_windows.exe'
30 - '\findDelegation_windows.exe'
31 - '\GetADUsers_windows.exe'
32 - '\GetNPUsers_windows.exe'
33 - '\getPac_windows.exe'
34 - '\getST_windows.exe'
35 - '\getTGT_windows.exe'
36 - '\GetUserSPNs_windows.exe'
37 - '\gmer.exe'
38 - '\hashcat.exe'
39 - '\htran.exe'
40 - '\ifmap_windows.exe'
41 - '\impersonate.exe'
42 - '\Inveigh.exe'
43 - '\LocalPotato.exe'
44 - '\mimikatz_windows.exe'
45 - '\mimikatz.exe'
46 - '\netview_windows.exe'
47 - '\nmapAnswerMachine_windows.exe'
48 - '\opdump_windows.exe'
49 - '\PasswordDump.exe'
50 - '\Potato.exe'
51 - '\PowerTool.exe'
52 - '\PowerTool64.exe'
53 - '\psexec_windows.exe'
54 - '\PurpleSharp.exe'
55 - '\pypykatz.exe'
56 - '\QuarksPwDump.exe'
57 - '\rdp_check_windows.exe'
58 - '\Rubeus.exe'
59 - '\SafetyKatz.exe'
60 - '\sambaPipe_windows.exe'
61 - '\SelectMyParent.exe'
62 - '\SharpChisel.exe'
63 - '\SharPersist.exe'
64 - '\SharpEvtMute.exe'
65 - '\SharpImpersonation.exe'
66 - '\SharpLDAPmonitor.exe'
67 - '\SharpLdapWhoami.exe'
68 - '\SharpUp.exe'
69 - '\SharpView.exe'
70 - '\smbclient_windows.exe'
71 - '\smbserver_windows.exe'
72 - '\sniff_windows.exe'
73 - '\sniffer_windows.exe'
74 - '\split_windows.exe'
75 - '\SpoolSample.exe'
76 - '\Stracciatella.exe'
77 - '\SysmonEOP.exe'
78 - '\temp\rot.exe'
79 - '\ticketer_windows.exe'
80 - '\TruffleSnout.exe'
81 - '\winPEASany_ofs.exe'
82 - '\winPEASany.exe'
83 - '\winPEASx64_ofs.exe'
84 - '\winPEASx64.exe'
85 - '\winPEASx86_ofs.exe'
86 - '\winPEASx86.exe'
87 - '\xordump.exe'
88 - SourceImage|contains:
89 - '\goldenPac'
90 - '\just_dce_'
91 - '\karmaSMB'
92 - '\kintercept'
93 - '\LocalPotato'
94 - '\ntlmrelayx'
95 - '\rpcdump'
96 - '\samrdump'
97 - '\secretsdump'
98 - '\smbexec'
99 - '\smbrelayx'
100 - '\wmiexec'
101 - '\wmipersist'
102 - 'HotPotato'
103 - 'Juicy Potato'
104 - 'JuicyPotato'
105 - 'PetitPotam'
106 - 'RottenPotato'
107 condition: selection
108falsepositives:
109 - Unlikely
110level: high
References
-
-
Dive in as the Splunk Threat Research Team shares how Mimikatz, and a few other tools found in Atomic Red Team, access credentials via LSASS memory.
Read More
Related rules
- Credential Dumping Attempt Via WerFault
- LSASS Access From Potentially White-Listed Processes
- LSASS Memory Access by Tool With Dump Keyword In Name
- Potentially Suspicious GrantedAccess Flags On LSASS
- Remote LSASS Process Access Through Windows Remote Management