Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Solutions A small chevron
Device management

Device management

Remotely manage, and protect laptops and mobile devices.

Orchestration

Orchestration

Automate tasks across devices, from app installs to scripts.

Software management

Software management

Inventory, patch, and manage installed software.

GitOps

Infrastructure as code

See every change, undo any error, repeat every success.

Extend Fleet

Extend Fleet

Integrate your favorite tools with Fleet.

Customers Pricing
More A small chevron
Get a demo
{{thisPage.meta.articleTitle}}
search

Fleet quick tips — identify systems where the ProcDump EULA has been accepted

{{articleSubtitle}}

Last updated on |
The author's GitHub profile picture

Mike Thomas

Share

Share this article on Hacker News Share this article on LinkedIn Share this article on Twitter
Docs Docs REST API REST API Guides Guides Get a demoGet a demo

Fleet quick tips — identify systems where the ProcDump EULA has been accepted

{{articleSubtitle}}

Last updated on | The author's GitHub profile picture

Mike Thomas

Fleet quick tips — identify systems where the ProcDump EULA has been accepted.

By now, you’ve no doubt already heard of Microsoft’s big email hack.

While attackers initially flew largely under the radar via an unknown vulnerability in the email software, the folks at Volexity observed a handful of post exploitation activities and tools that operators used to gain a foothold — one such tool being ProcDump, which attackers were observed using to dump LSASS process memory.

Identify systems where the ProcDump EULA has been accepted with Fleet

As a possible detection method using osquery and Fleet, check out this query from Recon InfoSec that looks for systems that accepted the ProcDump EULA. This query searches for a registry artifact that indicates ProcDump may have been used in a post-exploitation technique described by Microsoft’s security blog.

SELECT datetime(mtime, ‘unixepoch’, ‘localtime’) AS EULA_accepted,path
FROM registry
WHERE path LIKE ‘HKEY_USERS\%\Software\Sysinternals\ProcDump\EulaAccepted’;

*mtime = Time that EULA was accepted

For more information about the recent security breach, take a look at Microsoft’s original blog post.

Could this post be more helpful?

Let us know if you can think of any other example scenarios you’d like us to cover.