-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathBIOC-Rdrleakdiag-lolbas.bioc
2 lines (2 loc) · 3.46 KB
/
BIOC-Rdrleakdiag-lolbas.bioc
1
2
6ab91b8c1366275859c051cddb3b16df
[{"rule_id":395,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1687879280170,"modify_time":1687879288067,"severity":"SEV_030_MEDIUM","source":"frank.bussink@e-xpertsolutions.com","comment":"https:\/\/lolbas-project.github.io\/lolbas\/Binaries\/Rdrleakdiag\/\nNo known legit usage","status":"ENABLED","category":"CREDENTIAL_ACCESS","indicator":{"runOnCGO":true,"investigationType":"PROCESS_EXECUTION_EVENT","investigation":{"PROCESS_EXECUTION_EVENT":{"filter":{"AND":[{"SEARCH_FIELD":"action_process_image_name","SEARCH_TYPE":"REGEX","SEARCH_VALUE":"rdrleakdiag","EXTRA_FIELDS":[],"isExtended":false,"node":"attributes"},{"SEARCH_FIELD":"action_process_image_command_line","SEARCH_TYPE":"REGEX","SEARCH_VALUE":".*rdrleakdiag.*\\\/fullmemdmp.*","EXTRA_FIELDS":[],"isExtended":false}]}}}},"indicator_md5":"7a67171bb15f69cb9e42881b5e49c089","indicator_text":"Process action type = execution AND target process cmd =~ .*rdrleakdiag.*\\\/fullmemdmp.* AND target process name =~ rdrleakdiag","name":"BIOC-Rdrleakdiag-lolbas-command","mitre_technique_id_and_name":"T1003.001 - OS Credential Dumping: LSASS Memory","mitre_tactic_id_and_name":"TA0006 - Credential Access","mitre_tactic_id":"TA0006","mitre_technique_id":"T1003.001","btp_rule":{"AGENT_OS_WINDOWS":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"BIOC-Rdrleakdiag-lolbas-command","tactic_id":["TA0006"],"technique_id":["T1003.001"],"biocRuleName":"BIOC-Rdrleakdiag-lolbas-command","biocId":395,"additionalData":"{}"}}},"rule_data":"(deftemplate process_start_395 (slot cid)) (defrule process_start_395 (process_start (process_image_name ?process_image_name) (cid ?cid) (command_line ?command_line &: (and (regex ?process_image_name \"rdrleakdiag\" 0) (regex ?command_line \".*rdrleakdiag.*\\\\\/fullmemdmp.*\" 0)))) (not (process_start_395 (cid ?cid))) => (assert (process_start_395 (cid ?cid))))"},"AGENT_OS_MAC":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"BIOC-Rdrleakdiag-lolbas-command","tactic_id":["TA0006"],"technique_id":["T1003.001"],"biocRuleName":"BIOC-Rdrleakdiag-lolbas-command","biocId":395,"additionalData":"{}"}}},"rule_data":"(deftemplate process_start_395 (slot cid)) (defrule process_start_395 (process_start (process_image_name ?process_image_name) (cid ?cid) (command_line ?command_line &: (and (regex ?process_image_name \"rdrleakdiag\" 0) (regex ?command_line \".*rdrleakdiag.*\\\\\/fullmemdmp.*\" 0)))) (not (process_start_395 (cid ?cid))) => (assert (process_start_395 (cid ?cid))))"},"AGENT_OS_LINUX":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"BIOC-Rdrleakdiag-lolbas-command","tactic_id":["TA0006"],"technique_id":["T1003.001"],"biocRuleName":"BIOC-Rdrleakdiag-lolbas-command","biocId":395,"additionalData":"{}"}}},"rule_data":"(deftemplate process_start_395 (slot cid)) (defrule process_start_395 (process_start (process_image_name ?process_image_name) (cid ?cid) (command_line ?command_line &: (and (regex (lowcase ?process_image_name) \"rdrleakdiag\" 0) (regex (lowcase ?command_line) \".*rdrleakdiag.*\\\\\/fullmemdmp.*\" 0)))) (not (process_start_395 (cid ?cid))) => (assert (process_start_395 (cid ?cid))))"}},"btp_rule_name":"process_start_395","is_preventable":1,"supported_os":7,"btp_validation_error":null,"xql":null,"is_xql":false,"query_tables":null,"rule_indicator_last_modified_ts":1687879280170,"status_changed_by":null,"status_changed_at":null,"last_status_change_reason":null}]