DopplePaymer Procdump
Id | 1be34fb9-f81b-47ae-84fb-465e6686d76c |
Rulename | DopplePaymer Procdump |
Description | This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog. DoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they use SysInternal utilities such as ProcDump to dump credentials from LSASS. They often use these stolen credentials to turn off security software, run malicious commands, and spread malware throughout an organization. The following query detects ProcDump being used to dump credentials from LSASS. The See also section below lists links to other queries associated with DoppelPaymer. References: https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/ https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoppelPaymer.KM!MTB https://docs.microsoft.com/sysinternals/downloads/procdump https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection |
Severity | High |
Tactics | CredentialAccess |
Techniques | T1003 |
Required data connectors | MicrosoftThreatProtection |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Credential Access/DoppelPaymerProcDump.yaml |
Version | 1.0.0 |
Arm template | 1be34fb9-f81b-47ae-84fb-465e6686d76c.json |
// Dumping of LSASS memory using procdump
DeviceProcessEvents
// Command lines that include "lsass" and -accepteula or -ma flags used in procdump
| where (ProcessCommandLine has "lsass" and (ProcessCommandLine has "-accepteula" or
ProcessCommandLine contains "-ma"))
// Omits possible FPs where the full command is just "procdump.exe lsass"
or (FileName in~ ('procdump.exe','procdump64.exe') and ProcessCommandLine has 'lsass')
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
triggerThreshold: 0
severity: High
status: Available
entityMappings:
- fieldMappings:
- columnName: DeviceName
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: DnsDomain
identifier: DnsDomain
entityType: Host
version: 1.0.0
tactics:
- CredentialAccess
queryFrequency: 1h
name: DopplePaymer Procdump
query: |
// Dumping of LSASS memory using procdump
DeviceProcessEvents
// Command lines that include "lsass" and -accepteula or -ma flags used in procdump
| where (ProcessCommandLine has "lsass" and (ProcessCommandLine has "-accepteula" or
ProcessCommandLine contains "-ma"))
// Omits possible FPs where the full command is just "procdump.exe lsass"
or (FileName in~ ('procdump.exe','procdump64.exe') and ProcessCommandLine has 'lsass')
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
triggerOperator: gt
relevantTechniques:
- T1003
tags:
- DoppelPaymer
- Ransomware
- Procdump
- Credential Dumping
requiredDataConnectors:
- dataTypes:
- DeviceProcessEvents
connectorId: MicrosoftThreatProtection
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Credential Access/DoppelPaymerProcDump.yaml
description: |
This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog.
DoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they use SysInternal utilities such as ProcDump to dump credentials from LSASS. They often use these stolen credentials to turn off security software, run malicious commands, and spread malware throughout an organization.
The following query detects ProcDump being used to dump credentials from LSASS.
The See also section below lists links to other queries associated with DoppelPaymer.
References:
https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoppelPaymer.KM!MTB
https://docs.microsoft.com/sysinternals/downloads/procdump
https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
id: 1be34fb9-f81b-47ae-84fb-465e6686d76c
queryPeriod: 1h
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1be34fb9-f81b-47ae-84fb-465e6686d76c')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1be34fb9-f81b-47ae-84fb-465e6686d76c')]",
"properties": {
"alertRuleTemplateName": "1be34fb9-f81b-47ae-84fb-465e6686d76c",
"customDetails": null,
"description": "This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog.\nDoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they use SysInternal utilities such as ProcDump to dump credentials from LSASS. They often use these stolen credentials to turn off security software, run malicious commands, and spread malware throughout an organization.\nThe following query detects ProcDump being used to dump credentials from LSASS.\nThe See also section below lists links to other queries associated with DoppelPaymer.\nReferences:\nhttps://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/\nhttps://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoppelPaymer.KM!MTB\nhttps://docs.microsoft.com/sysinternals/downloads/procdump\nhttps://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection\n",
"displayName": "DopplePaymer Procdump",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Credential Access/DoppelPaymerProcDump.yaml",
"query": "// Dumping of LSASS memory using procdump\nDeviceProcessEvents\n// Command lines that include \"lsass\" and -accepteula or -ma flags used in procdump\n| where (ProcessCommandLine has \"lsass\" and (ProcessCommandLine has \"-accepteula\" or\nProcessCommandLine contains \"-ma\"))\n// Omits possible FPs where the full command is just \"procdump.exe lsass\"\nor (FileName in~ ('procdump.exe','procdump64.exe') and ProcessCommandLine has 'lsass')\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess"
],
"tags": [
"DoppelPaymer",
"Ransomware",
"Procdump",
"Credential Dumping"
],
"techniques": [
"T1003"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}