{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/memory-dump/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["credential-access","memory-dump","memprocfs"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMemProcFS is a memory forensics tool that allows users to mount physical memory as a virtual file system. While legitimate uses exist for forensic analysis, adversaries are abusing it to gain unauthorized access to sensitive information. Observed tactics involve mounting memory dumps of compromised systems and extracting credentials, LSA secrets, SAM data, and cached domain credentials. This activity is particularly concerning as it allows threat actors to bypass traditional security measures and directly access sensitive data within the memory space of targeted processes. Unapproved usage of MemProcFS should be considered suspicious and investigated immediately to prevent credential theft and lateral movement.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system through unspecified means (e.g., exploiting a vulnerability or using stolen credentials).\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a memory dump of the compromised system, which may contain sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eMemProcFS.exe\u003c/code\u003e with the \u003ccode\u003e-device\u003c/code\u003e parameter to mount the memory dump as a virtual file system.\u003c/li\u003e\n\u003cli\u003eMemProcFS creates a virtual file system representation of the memory dump, allowing the attacker to browse the memory space as files and directories.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the memory of the LSASS process (lsass.exe) through the mounted file system.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts credentials, such as usernames and passwords, from the LSASS process memory.\u003c/li\u003e\n\u003cli\u003eThe attacker may also access registry hives through the mounted file system to obtain LSA secrets, SAM data, and cached domain credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials for lateral movement, privilege escalation, or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows threat actors to steal sensitive information, including credentials, LSA secrets, SAM data, and cached domain credentials. Compromised credentials can be used for lateral movement within the network, privilege escalation, and further data breaches. The number of potential victims is unknown, but the severity of the impact is high due to the potential for widespread compromise. Sectors at risk include any organization that stores sensitive data on Windows systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect MemProcFS Execution with Device Parameter\u0026rdquo; to your SIEM to identify suspicious use of MemProcFS based on process creation events.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to provide the necessary data for the Sigma rules above.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual file system access patterns that may indicate a memory dump being mounted as a virtual file system.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T12:00:00Z","date_published":"2024-11-02T12:00:00Z","id":"/briefs/2024-11-memprocfs-memory-dump/","summary":"Adversaries use MemProcFS, a memory forensics tool, to mount memory dumps as virtual file systems and extract sensitive information like credentials from LSASS or registry hives.","title":"MemProcFS Usage for Memory Dump Mounting and Credential Access","url":"https://feed.craftedsignal.io/briefs/2024-11-memprocfs-memory-dump/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lsass","memory-dump","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Local Security Authority Subsystem Service (LSASS) is a critical Windows process responsible for enforcing security policy and handling user authentication. Attackers often target LSASS to steal credentials for lateral movement and privilege escalation. This detection identifies attempts to access LSASS memory using specific access masks (0x1fffff, 0x1010, 0x120089, 0x1F3FFF) that are commonly used by tools designed to dump LSASS memory. The rule is designed to be tool-agnostic, detecting the underlying behavior rather than specific tool signatures. It has been validated against various LSASS dumping tools, including SharpDump, Procdump, Mimikatz, and Comsvcs. The rule triggers on Windows systems where handle manipulation is enabled and generates security event logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to an administrative account or SYSTEM, necessary for accessing LSASS memory.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a credential dumping tool, such as Mimikatz, SharpDump, or Procdump.\u003c/li\u003e\n\u003cli\u003eThe tool attempts to open a handle to the LSASS process (lsass.exe) with a specific access mask (0x1fffff, 0x1010, 0x120089, 0x1F3FFF) required for memory dumping.\u003c/li\u003e\n\u003cli\u003eWindows Security Event ID 4656 is generated, logging the handle request to the LSASS object.\u003c/li\u003e\n\u003cli\u003eThe tool reads the memory contents of the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe dumped memory is parsed to extract sensitive information, such as passwords, NTLM hashes, and Kerberos tickets.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to move laterally to other systems or access sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful LSASS memory dumping allows attackers to steal user credentials, enabling lateral movement and privilege escalation within the network. This can lead to widespread compromise, data breaches, and significant disruption of services. Stolen credentials can be used to access sensitive data, control critical systems, and maintain a persistent presence within the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Handle Manipulation to generate the necessary events for this rule to function, as described in the \u003ca href=\"https://ela.st/audit-handle-manipulation\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eLSASS Memory Dump Handle Access\u003c/code\u003e to your SIEM and tune the exceptions based on your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the process execution chain (parent process tree) to identify the source of the LSASS handle request.\u003c/li\u003e\n\u003cli\u003eReview the processes excluded in the rule (WmiPrvSE.exe, dllhost.exe, svchost.exe, msiexec.exe, explorer.exe) and ensure these exclusions are valid for your environment.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and multi-factor authentication to mitigate the impact of credential theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-lsass-memory-dump/","summary":"This rule detects handle requests for LSASS object access with specific access masks (0x1fffff, 0x1010, 0x120089, 0x1F3FFF) indicative of memory dumping, commonly employed by tools like SharpDump, Procdump, Mimikatz, and Comsvcs to extract credentials from the LSASS process on Windows systems.","title":"LSASS Memory Dump Handle Access Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-memory-dump/"}],"language":"en","title":"CraftedSignal Threat Feed — Memory-Dump","version":"https://jsonfeed.org/version/1.1"}