Lsass Memory Dump via Syscalls

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/10/18

Modification Date

2020/10/18

Tactics

TA0006

Techniques

T1003.001

Tags

art.7ae7102c-a099-45c8-b985-4c7a2d05790d

Dataset Description

This dataset represents adversaries using system calls (syscalls) and API unhooking to dump the memoty contents of lsass.

Simulation Metadata

Tools

type

Name

Module

Manual

Cmd

Cmd

Adversary View

C:\Users\wardog\Desktop>Outflank-Dumpert.exe
________          __    _____.__                 __
\_____  \  __ ___/  |__/ ____\  | _____    ____ |  | __
  /   |   \|  |  \   __\   __\|  | \__  \  /    \|  |/ /
/    |    \  |  /|  |  |  |  |  |__/ __ \|   |  \    <
\_______  /____/ |__|  |__|  |____(____  /___|  /__|_ \
        \/                             \/     \/     \/
                                  Dumpert
                              By Cneeliz @Outflank 2019

[1] Checking OS version details:
        [+] Operating System is Windows 10 or Server 2016, build number 18363
        [+] Mapping version specific System calls.
[2] Checking Process details:
        [+] Process ID of lsass.exe is: 756
        [+] NtReadVirtualMemory function pointer at: 0x00007FFB929DC890
        [+] NtReadVirtualMemory System call nr is: 0x3f
        [+] Unhooking NtReadVirtualMemory.
[3] Create memorydump file:
        [+] Open a process handle.
        [+] Dump lsass.exe memory to: \??\C:\windows\Temp\dumpert.dmp
        [+] Dump succesful.

C:\Users\wardog\Desktop>

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/cmd_lsass_memory_dumpert_syscalls.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)