Detecting the presence of SafetyDump tool

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule aims to identify the execution of SafetyDump.exe, a tool capable of allowing the data to be stored in a file or transmitted through a C2 channel. It allows adversaries to extract sensitive data, evade traditional defenses, establish persistence, conduct espionage, and communicate stealthily through the channel.

Data source:

Windows: User account, process, file, kernel

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0006 - Credential Access

Techniques: T1003 OS Credential Dumping, T1555 - Credential from Password Stores

Sub-techniques: T1003.001 - LSASS Memory, T1003.002 - Security Account Manager

Criteria:

Original file name ends with "SafetyDump.exe": This condition checks the event logs for entries where the name of the originally executed file ends with "SafetyDump.exe".

Process name ends with "SafetyDump.exe": This condition focuses on the process name itself. It will trigger if any process name within the event logs contains "SafetyDump.exe" at the end.

When to enable this rule:

Enable this rule when you want to detect data exfiltration attempts. It allows you to identify potential breaches early on and minimize damage.

Compliance mapping (NIST, CIS):

Enabling this rule will help you comply with the below security standards' requirements:

NIST Cybersecurity Framework (CSF):

• Anomalies in System Process Execution (DE.AE-1): Detection of unusual process executions or command-line arguments indicative of SafetyDump usage, such as attempts to extract or manipulate credentials.
• Irregular Access to Credential Stores (DE.CM-1): Identification of unauthorized access attempts or modifications related to credential stores or memory dumps.
• Security Log Anomalies (DE.CM-7): Alerting on activities indicating attempts to exploit credential vulnerabilities or elevate privileges.

CIS:

• Control 8: Malware Defense: Implement mechanisms to detect and prevent the execution of SafetyDump and similar tools targeting credential extraction.
• Control 6: Maintenance, Monitoring, and Analysis of Audit Logs: Continuously monitor audit logs for anomalies indicating SafetyDump usage or suspicious activities targeting credentials.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assigning the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.