DopplePaymer Procdump
| Id | 1be34fb9-f81b-47ae-84fb-465e6686d76c |
| Rulename | DopplePaymer Procdump |
| Description | This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog. DoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they use SysInternal utilities such as ProcDump to dump credentials from LSASS. They often use these stolen credentials to turn off security software, run malicious commands, and spread malware throughout an organization. The following query detects ProcDump being used to dump credentials from LSASS. The See also section below lists links to other queries associated with DoppelPaymer. References: https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/ https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoppelPaymer.KM!MTB https://docs.microsoft.com/sysinternals/downloads/procdump https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection |
| Severity | High |
| Tactics | CredentialAccess |
| Techniques | T1003 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Credential Access/DoppelPaymerProcDump.yaml |
| Version | 1.0.0 |
| Arm template | 1be34fb9-f81b-47ae-84fb-465e6686d76c.json |
// Dumping of LSASS memory using procdump
DeviceProcessEvents
// Command lines that include "lsass" and -accepteula or -ma flags used in procdump
| where (ProcessCommandLine has "lsass" and (ProcessCommandLine has "-accepteula" or
ProcessCommandLine contains "-ma"))
// Omits possible FPs where the full command is just "procdump.exe lsass"
or (FileName in~ ('procdump.exe','procdump64.exe') and ProcessCommandLine has 'lsass')
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
id: 1be34fb9-f81b-47ae-84fb-465e6686d76c
triggerThreshold: 0
severity: High
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tags:
- DoppelPaymer
- Ransomware
- Procdump
- Credential Dumping
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: DeviceName
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: DnsDomain
entityType: Host
version: 1.0.0
triggerOperator: gt
queryPeriod: 1h
query: |
// Dumping of LSASS memory using procdump
DeviceProcessEvents
// Command lines that include "lsass" and -accepteula or -ma flags used in procdump
| where (ProcessCommandLine has "lsass" and (ProcessCommandLine has "-accepteula" or
ProcessCommandLine contains "-ma"))
// Omits possible FPs where the full command is just "procdump.exe lsass"
or (FileName in~ ('procdump.exe','procdump64.exe') and ProcessCommandLine has 'lsass')
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
relevantTechniques:
- T1003
tactics:
- CredentialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Credential Access/DoppelPaymerProcDump.yaml
status: Available
description: |
This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog.
DoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they use SysInternal utilities such as ProcDump to dump credentials from LSASS. They often use these stolen credentials to turn off security software, run malicious commands, and spread malware throughout an organization.
The following query detects ProcDump being used to dump credentials from LSASS.
The See also section below lists links to other queries associated with DoppelPaymer.
References:
https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoppelPaymer.KM!MTB
https://docs.microsoft.com/sysinternals/downloads/procdump
https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
name: DopplePaymer Procdump
kind: Scheduled
queryFrequency: 1h
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1be34fb9-f81b-47ae-84fb-465e6686d76c')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1be34fb9-f81b-47ae-84fb-465e6686d76c')]",
"properties": {
"alertRuleTemplateName": "1be34fb9-f81b-47ae-84fb-465e6686d76c",
"customDetails": null,
"description": "This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog.\nDoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they use SysInternal utilities such as ProcDump to dump credentials from LSASS. They often use these stolen credentials to turn off security software, run malicious commands, and spread malware throughout an organization.\nThe following query detects ProcDump being used to dump credentials from LSASS.\nThe See also section below lists links to other queries associated with DoppelPaymer.\nReferences:\nhttps://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/\nhttps://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoppelPaymer.KM!MTB\nhttps://docs.microsoft.com/sysinternals/downloads/procdump\nhttps://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection\n",
"displayName": "DopplePaymer Procdump",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Credential Access/DoppelPaymerProcDump.yaml",
"query": "// Dumping of LSASS memory using procdump\nDeviceProcessEvents\n// Command lines that include \"lsass\" and -accepteula or -ma flags used in procdump\n| where (ProcessCommandLine has \"lsass\" and (ProcessCommandLine has \"-accepteula\" or\nProcessCommandLine contains \"-ma\"))\n// Omits possible FPs where the full command is just \"procdump.exe lsass\"\nor (FileName in~ ('procdump.exe','procdump64.exe') and ProcessCommandLine has 'lsass')\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess"
],
"tags": [
"DoppelPaymer",
"Ransomware",
"Procdump",
"Credential Dumping"
],
"techniques": [
"T1003"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}