- Home
- Play books
- Dump file threat containment
Dump file threat containment
In this page
Playbook Description
This playbook helps contain file dumping by analyzing process trees for malicious flow and command lines for credential dumping tools. It remediates the attack and relocates dump files, terminates and quarantines processes, removes persistence, enables LSASS protection, and blocks the abuse tools.
MITRE ATT&CK mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Credential Access(TA0006) | OS Credential Dumping(T1003) | Security Account Manager(T1003.002) |
| Credential Access(TA0006) | OS Credential Dumping(T1003) | LSA Secrets(T1003.004) |
MITRE D3FEND mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Detect(D3-Detect) | Identifier Analysis(D3-ID) | File Hash Reputation Analysis(D3-FHRA) |
Playbook input type
Alert
Prerequisites
- PowerShell Version 5.1+ must be available on the target host.
- Windows Defender must be enabled and active on the target host.
- Software Restriction Policy (SRP) must not be disabled on the target host.
- Windows Credentials - Go to Settings -> Devices -> Windows Devices. Provide/update the credentials of the respective Windows device with admin privileges.
Dependencies
Utility functions:
- utility_convertTimeToUTC
- utility_getRequiredTime
- windows_detectMaliciousProcessChain
- windows_commandLineAnalysisProcdumpComsvcs
- utility_convertToString
- utility_sendMail
Scripts
| Script Name | Description | Arguments |
|---|---|---|
| EnableASRToPreventLSASS.ps1 | Enables the Attack Surface Reduction (ASR) rule to block credential stealing from the LSASS process (Rule ID: 9e6ea9f3-2e94-4a2a-89e3-4c77b740ab4a ) | — |
| FetchPersistenceEntries.ps1 | Scans for persistence mechanisms including scheduled tasks, registry Run/RunOnce keys, startup folder entries, and services to identify potential malicious persistence | - |
| QuarantineFiles.ps1 | Moves one or more files to a quarantine directory ( %USERPROFILE%\Forensic_Quarantine ), strips inherited permissions via .NET ACL API, and grants read-only access to Administrators. Skips protected PowerShell executables. | FilePaths |
| AddSoftwareRestrictionPolicy.ps1 | Creates Software Restriction Policy (SRP) rules in the Windows registry to block execution of programs from specified paths. For each path, it checks if an SRP rule already exists — if so and it's not set to "Disallowed", it updates the existing rule; otherwise it creates a new GUID-keyed rule under HKLM:\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths. Enables SRP enforcement (TransparentEnabled=1, PolicyScope=0) on each run. | RestrictedPath |
| TerminateSession.ps1 | Logs off one or more user sessions using logoff , with optional RDP-only filtering by remote IP | UserNames |
| StopAndQuarantineProcess.ps1 | # Terminates processes by PID (decimal/hex) or by executable file path, then quarantines the executable to a forensic directory. # Protects critical OS processes and the SOAR agent from termination. | ProcessIdentifiers |
Execution workflow
Investigation:
- Retrieves the process tree.
- Checks for malicious process.
Decision logic:
- Proceeds to remediation based on the following conditions:
- A malicious execution flow was detected in the process tree.
- If suspicious but not confirmed malicious, sends a notification for manual review and stops further actions.
- If no malicious indicators are confirmed, the playbook ends with no further actions.
Remediation:
- Analyzes the command line for suspicious patterns, URLs, or file paths.
- Relocates the dump file.
- Notifies the dump analysis.
- Terminates and quarantines processes.
- Enables LSASS protection.
- Blocks procdump and comsvcs.
- Logs off the user.
- Removes persistence.
- Validates if all remediation actions are completed successfully.
- Builds the notification email with remediation details and findings.
- Sends a notification email regarding the actions taken and required next steps.
Post execution procedure
- Analyze the relocated dump file for evidence of credential theft.
- Reset credentials for accounts that might have been compromised.
- Review system logs for lateral movement or privilege escalation indicators.
- Confirm that LSASS protection and software restriction policies are active.
- Notify the affected user about the actions taken.
