LOLBAS/yml/OtherMSBinaries/Adplus.yml
bohops 23dd0236ae
Detection Resources and Other Updates (#179)
* Add detection links for scripts

* Add detection links for OtherMSBins. Fixed and updated as needed.

* Add detection links for MSBins. Fixed and updated as needed.

* Add detection links for oslibraries

* Updating template for Detections

* Removing empty Detection:Sigma entries

* Remove redundant blank line

* Replacing commit URL with file URL

Co-authored-by: root <root@DESKTOP-5CR935D.localdomain>
Co-authored-by: Wietze <wietze@users.noreply.github.com>
2021-11-15 08:19:03 -05:00

27 lines
849 B
YAML

---
Name: adplus.exe
Description: Debugging tool included with Windows Debugging Tools
Author: mr.d0x
Created: 2021-09-01
Commands:
- Command: adplus.exe -hang -pn lsass.exe -o c:\users\mr.d0x\output\folder -quiet
Description: Creates a memory dump of the lsass process
Usecase: Create memory dump and parse it offline
Category: Dump
Privileges: SYSTEM
MitreID: T1003.001
OperatingSystem: All Windows
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe
Code_Sample:
- Code:
Detection:
- IOC: As a Windows SDK binary, execution on a system may be suspicious
Resources:
- Link: https://blog.thecybersecuritytutor.com/adplus-debugging-tool-lsass-dump/
Acknowledgement:
- Person: mr.d0x
Handle: '@mrd0x'
---