← Back to Explore
sigmahighHunting
Process Access via TrolleyExpress Exclusion
Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
Detection Query
selection:
CommandLine|contains:
- \TrolleyExpress 7
- \TrolleyExpress 8
- \TrolleyExpress 9
- \TrolleyExpress.exe 7
- \TrolleyExpress.exe 8
- \TrolleyExpress.exe 9
- "\\TrolleyExpress.exe -ma "
renamed:
Image|endswith: \TrolleyExpress.exe
filter_renamed:
OriginalFileName|contains: CtxInstall
filter_empty:
OriginalFileName: null
condition: selection or ( renamed and not 1 of filter* )
Author
Florian Roth (Nextron Systems)
Created
2022-02-10
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1218.011attack.credential-accessattack.t1003.001
Raw Content
title: Process Access via TrolleyExpress Exclusion
id: 4c0aaedc-154c-4427-ada0-d80ef9c9deb6
status: test
description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
references:
- https://twitter.com/_xpn_/status/1491557187168178176
- https://www.youtube.com/watch?v=Ie831jF0bb0
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2022-05-13
tags:
- attack.defense-evasion
- attack.t1218.011
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# We assume that the lsass.exe process has a process ID that's between 700 and 999 and the dumper uses just the PID as parameter
- '\TrolleyExpress 7'
- '\TrolleyExpress 8'
- '\TrolleyExpress 9'
- '\TrolleyExpress.exe 7'
- '\TrolleyExpress.exe 8'
- '\TrolleyExpress.exe 9'
# Common dumpers
- '\TrolleyExpress.exe -ma '
renamed:
Image|endswith: '\TrolleyExpress.exe'
filter_renamed:
OriginalFileName|contains: 'CtxInstall'
filter_empty:
OriginalFileName: null
condition: selection or ( renamed and not 1 of filter* )
falsepositives:
- Unknown
level: high