Lsass Memory Dump via Syscalls

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/10/18

Modification Date

2020/10/18

Tactics

[‘TA0006’]

Techniques

[‘T1003.001’]

Tags

[‘art.7ae7102c-a099-45c8-b985-4c7a2d05790d’]

Dataset Description

This dataset represents adversaries using system calls (syscalls) and API unhooking to dump the memoty contents of lsass.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Lab VM

Manual

Cmd

Adversary View

C:\Users\wardog\Desktop>Outflank-Dumpert.exe
________          __    _____.__                 __
\_____  \  __ ___/  |__/ ____\  | _____    ____ |  | __
  /   |   \|  |  \   __\   __\|  | \__  \  /    \|  |/ /
/    |    \  |  /|  |  |  |  |  |__/ __ \|   |  \    <
\_______  /____/ |__|  |__|  |____(____  /___|  /__|_ \
        \/                             \/     \/     \/
                                  Dumpert
                              By Cneeliz @Outflank 2019

[1] Checking OS version details:
        [+] Operating System is Windows 10 or Server 2016, build number 18363
        [+] Mapping version specific System calls.
[2] Checking Process details:
        [+] Process ID of lsass.exe is: 756
        [+] NtReadVirtualMemory function pointer at: 0x00007FFB929DC890
        [+] NtReadVirtualMemory System call nr is: 0x3f
        [+] Unhooking NtReadVirtualMemory.
[3] Create memorydump file:
        [+] Open a process handle.
        [+] Dump lsass.exe memory to: \??\C:\windows\Temp\dumpert.dmp
        [+] Dump succesful.

C:\Users\wardog\Desktop>

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/cmd_lsass_memory_dumpert_syscalls.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+------------+------------------------------------+-------+-----+
|Hostname    |Channel                             |EventID|count|
+------------+------------------------------------+-------+-----+
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|10     |44   |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|13     |23   |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|7      |21   |
|WORKSTATION5|Security                            |4658   |6    |
|WORKSTATION5|Security                            |4663   |3    |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|12     |3    |
|WORKSTATION5|Security                            |4690   |3    |
|WORKSTATION5|Security                            |4656   |3    |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|11     |2    |
|WORKSTATION5|Security                            |5158   |2    |
|WORKSTATION5|Security                            |5156   |2    |
|WORKSTATION5|Security                            |4688   |1    |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|1      |1    |
|WORKSTATION5|Security                            |4703   |1    |
|WORKSTATION5|Security                            |1102   |1    |
|WORKSTATION5|Security                            |4689   |1    |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|5      |1    |
+------------+------------------------------------+-------+-----+