Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. DopplePaymer Procdump

DopplePaymer Procdump

Back
Id1be34fb9-f81b-47ae-84fb-465e6686d76c
RulenameDopplePaymer Procdump
DescriptionThis query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog.

DoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they use SysInternal utilities such as ProcDump to dump credentials from LSASS. They often use these stolen credentials to turn off security software, run malicious commands, and spread malware throughout an organization.

The following query detects ProcDump being used to dump credentials from LSASS.

The See also section below lists links to other queries associated with DoppelPaymer.

References:

https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoppelPaymer.KM!MTB

https://docs.microsoft.com/sysinternals/downloads/procdump

https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
SeverityHigh
TacticsCredentialAccess
TechniquesT1003
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Credential Access/DoppelPaymerProcDump.yaml
Version1.0.0
Arm template1be34fb9-f81b-47ae-84fb-465e6686d76c.json
Deploy To Azure
// Dumping of LSASS memory using procdump
DeviceProcessEvents
// Command lines that include "lsass" and -accepteula or -ma flags used in procdump
| where (ProcessCommandLine has "lsass" and (ProcessCommandLine has "-accepteula" or
ProcessCommandLine contains "-ma"))
// Omits possible FPs where the full command is just "procdump.exe lsass"
or (FileName in~ ('procdump.exe','procdump64.exe') and ProcessCommandLine has 'lsass')
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")

name: DopplePaymer Procdump
relevantTechniques:
- T1003
id: 1be34fb9-f81b-47ae-84fb-465e6686d76c
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Credential Access/DoppelPaymerProcDump.yaml
requiredDataConnectors:
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection
version: 1.0.0
severity: High
triggerThreshold: 0
tags:
- DoppelPaymer
- Ransomware
- Procdump
- Credential Dumping
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
  entityType: Host
queryFrequency: 1h
status: Available
query: |
  // Dumping of LSASS memory using procdump
  DeviceProcessEvents
  // Command lines that include "lsass" and -accepteula or -ma flags used in procdump
  | where (ProcessCommandLine has "lsass" and (ProcessCommandLine has "-accepteula" or
  ProcessCommandLine contains "-ma"))
  // Omits possible FPs where the full command is just "procdump.exe lsass"
  or (FileName in~ ('procdump.exe','procdump64.exe') and ProcessCommandLine has 'lsass')
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
tactics:
- CredentialAccess
kind: Scheduled
description: |
  This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog.
  DoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they use SysInternal utilities such as ProcDump to dump credentials from LSASS. They often use these stolen credentials to turn off security software, run malicious commands, and spread malware throughout an organization.
  The following query detects ProcDump being used to dump credentials from LSASS.
  The See also section below lists links to other queries associated with DoppelPaymer.
  References:
  https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/
  https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoppelPaymer.KM!MTB
  https://docs.microsoft.com/sysinternals/downloads/procdump
  https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection  
triggerOperator: gt