Potential Credential Dumping Via WER

 1title: Potential Credential Dumping Via WER
 2id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3
 3status: test
 4description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass
 5references:
 6    - https://github.com/deepinstinct/Lsass-Shtinkering
 7    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
 8author: '@pbssubhash , Nasreddine Bencherchali'
 9date: 2022-12-08
10modified: 2022-12-09
11tags:
12    - attack.credential-access
13    - attack.t1003.001
14logsource:
15    product: windows
16    category: process_creation
17detection:
18    selection_img:
19        - Image|endswith: '\Werfault.exe'
20        - OriginalFileName: 'WerFault.exe'
21    selection_cli:
22        ParentUser|contains: # covers many language settings
23            - 'AUTHORI'
24            - 'AUTORI'
25        User|contains:
26            - 'AUTHORI'
27            - 'AUTORI'
28        CommandLine|contains|all:
29            # Doc: WerFault.exe -u -p <target process> -ip <source process> -s <file mapping handle>
30            # Example: C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244
31            # If the source process is not equal to the target process and the target process is LSASS then this is an indication of this technique
32            # Example: If the "-p" points the PID of "lsass.exe" and "-ip" points to a different process than "lsass.exe" then this is a sign of malicious activity
33            - ' -u -p '
34            - ' -ip '
35            - ' -s '
36    filter_lsass:
37        ParentImage: 'C:\Windows\System32\lsass.exe'
38    condition: all of selection_* and not 1 of filter_*
39falsepositives:
40    - Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the "-p" parameter in the CommandLine.
41level: high