IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Memory Dump File with Unusual Extensionedit
Identifies the creation of a memory dump file with an unusual extension, which can indicate an attempt to disguise a memory dump as another file type to bypass security defenses.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Credential Access
- Tactic: Defense Evasion
- Data Source: Elastic Defend
- Rule Type: BBR
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule queryedit
file where host.os.type == "windows" and event.type == "creation" and
/* MDMP header */
file.Ext.header_bytes : "4d444d50*" and
not file.extension : ("dmp", "mdmp", "hdmp", "edmp", "full", "tdref", "cg", "tmp", "dat") and
not
(
process.executable : "?:\\Program Files\\Endgame\\esensor.exe" and
process.code_signature.trusted == true and length(file.extension) == 0
)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: OS Credential Dumping
- ID: T1003
- Reference URL: https://attack.mitre.org/techniques/T1003/
-
Sub-technique:
- Name: LSASS Memory
- ID: T1003.001
- Reference URL: https://attack.mitre.org/techniques/T1003/001/
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Masquerading
- ID: T1036
- Reference URL: https://attack.mitre.org/techniques/T1036/
-
Sub-technique:
- Name: Masquerade File Type
- ID: T1036.008
- Reference URL: https://attack.mitre.org/techniques/T1036/008/