Detecting the presence of SafetyDump tool

Rule added on 20th February, 2024

Prerequisite:

The rule requires Sysmon and process creation audit policy to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule aims to identify the execution of SafetyDump.exe, a tool capable of allowing the data to be stored in a file or transmitted through a C2 channel. It allows adversaries to extract sensitive data, evade traditional defenses, establish persistence, conduct espionage, and communicate stealthily through the channel.

Data source:

Windows: User account, process, file, kernel

Relevant MITRE ATT&CK techniques and tactics:

Tactic: TA0006 - Credential Access

Techniques: T1003 - OS Credential Dumping, T1555 - Credentials from Password Stores

Sub-techniques: T1003.001 - LSASS Memory, T1003.002 - Security Account Manager

    Criteria:

    Original file name ends with "SafetyDump.exe": This condition checks the event logs for entries where the name of the originally executed file ends with "SafetyDump.exe".

    Process name ends with "SafetyDump.exe": This condition focuses on the process name itself. It will trigger if any process name within the event logs contains "SafetyDump.exe" at the end.

    When to enable this rule:

    Enable this rule when you want to detect data exfiltration attempts. It allows you to identify potential breaches early on and minimize damage.

    Compliance mapping (NIST, CIS):

    Enabling this rule will help you comply with the below security standards' requirements:

    NIST Cybersecurity Framework (CSF):

    • Anomalies in System Process Execution (DE.AE-1): Detection of unusual process executions or command-line arguments indicative of SafetyDump usage, such as attempts to extract or manipulate credentials.
    • Irregular Access to Credential Stores (DE.CM-1): Identification of unauthorized access attempts or modifications related to credential stores or memory dumps.
    • Security Log Anomalies (DE.CM-7): Alerting on activities indicating attempts to exploit credential vulnerabilities or elevate privileges.

    CIS:

    • Control 8: Malware Defense: Implement mechanisms to detect and prevent the execution of SafetyDump and similar tools targeting credential extraction.
    • Control 6: Maintenance, Monitoring, and Analysis of Audit Logs: Continuously monitor audit logs for anomalies indicating SafetyDump usage or suspicious activities targeting credentials.

    Next steps:

    Upon triggering this alert, the following actions can be taken:

    • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assigning the incident to an analyst for in-depth examination.
    • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
    • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.

    How to proceed?

    ManageEngine Log360's real-time correlation engine helps to detect threats instantly. Get in touch with our technical experts to get a hands on product tour or learn to optimize the solution's working to your needs.