Dump process memory and upload to the server
Common Archive Utilities: Winrar, Winzip, 7-zip, Winscp, FileZilla
Common Exfil Utilities: robocopy, rclone, mega*
Consoles: cmd, powershell
name: Windows.Triage.HighValueMemory
description: |
Dump process memory and upload to the server
Common Archive Utilities: Winrar, Winzip, 7-zip, Winscp, FileZilla
Common Exfil Utilities: robocopy, rclone, mega*
Consoles: cmd, powershell
author: "@kevinfosec - liteman"
parameters:
- name: processRegexCsv
default: |
processName
mega
winrar
winzip
7z
winscp
filezilla
robocopy
rclone
notepad
cmd
powershell
type: regex
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
LET processRegexList <= SELECT processName
FROM parse_csv(filename=processRegexCsv, accessor='data')
LET processes(processRegex) = SELECT Name as ProcessName,
CommandLine,
Pid
FROM pslist()
WHERE Name =~ processRegex
LET processList = SELECT *
FROM foreach(
row=processRegexList,
query={ SELECT * from processes(processRegex=processName) }
)
SELECT *
FROM foreach(
row=processList,
query={
SELECT ProcessName,
CommandLine,
Pid,
FullPath,
upload(file=FullPath,
name=format(format="%v_%v",args=[ProcessName,Pid])) as CrashDump
FROM proc_dump(pid=Pid)
}
)