detection.wiki

Detection rules › Kusto Query Language

DopplePaymer Procdump

Source
upstream

This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog. DoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they use SysInternal utilities such as ProcDump to dump credentials from LSASS. They often use these stolen credentials to turn off security software, run malicious commands, and spread malware throughout an organization. The following query detects ProcDump being used to dump credentials from LSASS. The See also section below lists links to other queries associated with DoppelPaymer. References: https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/ https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoppelPaymer.KM!MTB https://docs.microsoft.com/sysinternals/downloads/procdump https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1003 OS Credential Dumping

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.
Defender-DeviceProcessEvents9001000Process activity (any)

Stages and Predicates

Stage 1: source

DeviceProcessEvents

Stage 2: where

or
  and
    or
      ProcessCommandLine contains "-ma"
      ProcessCommandLine match "-accepteula"
    ProcessCommandLine match "lsass"
  and
    FileName in ["procdump.exe", "procdump64.exe"]
    ProcessCommandLine match "lsass"

Stage 3: extend

Stage 4: extend

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
FileNamein
  • procdump.exe
  • procdump64.exe
ProcessCommandLinecontains
  • -ma
ProcessCommandLinematch
  • -accepteula
  • lsass corpus 4 (sigma 4)