Process Access via TrolleyExpress Exclusion

 1title: Process Access via TrolleyExpress Exclusion
 2id: 4c0aaedc-154c-4427-ada0-d80ef9c9deb6
 3status: test
 4description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
 5references:
 6    - https://twitter.com/_xpn_/status/1491557187168178176
 7    - https://www.youtube.com/watch?v=Ie831jF0bb0
 8author: Florian Roth (Nextron Systems)
 9date: 2022-02-10
10modified: 2022-05-13
11tags:
12    - attack.defense-evasion
13    - attack.t1218.011
14    - attack.credential-access
15    - attack.t1003.001
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        CommandLine|contains:
22      # We assume that the lsass.exe process has a process ID that's between 700 and 999 and the dumper uses just the PID as parameter
23            - '\TrolleyExpress 7'
24            - '\TrolleyExpress 8'
25            - '\TrolleyExpress 9'
26            - '\TrolleyExpress.exe 7'
27            - '\TrolleyExpress.exe 8'
28            - '\TrolleyExpress.exe 9'
29      # Common dumpers
30            - '\TrolleyExpress.exe -ma '
31    renamed:
32        Image|endswith: '\TrolleyExpress.exe'
33    filter_renamed:
34        OriginalFileName|contains: 'CtxInstall'
35    filter_empty:
36        OriginalFileName: null
37    condition: selection or ( renamed and not 1 of filter* )
38fields:
39    - CommandLine
40    - ParentCommandLine
41falsepositives:
42    - Unknown
43level: high