Jump to content

Archived

This topic is now archived and is closed to further replies.

Rami

EFS HIPS Question

Recommended Posts

Quote

C:\Windows\System32\svchost.exe;Get access to another application;C:\Windows\System32\lsass.exe;blocked;Self-Defense: Do not allow modification of system processes;Terminate/suspend another application

I think this one needs a detailed investigation. Why?

Quote

Cobalt Strike: Built-in Mimikatz credential dump capability executed

A Specific Behavior alert was generated for svchost.exe loading Mimikatz and accessing lsass (an audited system resource). The alert was also tagged with the correct ATT&CK Tactic (Credential Access) and related Technique (Process Injection).

Cobalt Strike: Built-in hash dump capability executed

Telemetry showed svchost.exe injecting into lsass.exe. The telemetry was tainted by the parent “injected (svchost.exe > lsass.exe)” alert. The hashdumpx64.dll was also seen loaded as a floating executable code.

https://attackevals.mitre.org/evaluations/cybereason.1.apt3.1/procedures/credentialdumping

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...