Potential Credential Access via Windows Utilities

  1[metadata]
  2creation_date = "2020/11/24"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"]
  4maturity = "production"
  5updated_date = "2026/04/22"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database
 11(NTDS.dit) in preparation for credential access.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-endpoint.events.process-*",
 17    "logs-m365_defender.event-*",
 18    "logs-sentinel_one_cloud_funnel.*",
 19    "logs-system.security*",
 20    "logs-windows.forwarded*",
 21    "logs-windows.sysmon_operational-*",
 22    "winlogbeat-*",
 23]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "Potential Credential Access via Windows Utilities"
 27references = [
 28    "https://lolbas-project.github.io/",
 29    "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper",
 30]
 31risk_score = 73
 32rule_id = "00140285-b827-4aee-aa09-8113f58a08f3"
 33severity = "high"
 34tags = [
 35    "Domain: Endpoint",
 36    "OS: Windows",
 37    "Use Case: Threat Detection",
 38    "Tactic: Credential Access",
 39    "Tactic: Defense Evasion",
 40    "Resources: Investigation Guide",
 41    "Data Source: Elastic Endgame",
 42    "Data Source: Elastic Defend",
 43    "Data Source: Windows Security Event Logs",
 44    "Data Source: Microsoft Defender XDR",
 45    "Data Source: SentinelOne",
 46    "Data Source: Sysmon",
 47]
 48timestamp_override = "event.ingested"
 49type = "eql"
 50
 51query = '''
 52process where host.os.type == "windows" and event.type == "start" and
 53(
 54  (
 55    (?process.pe.original_file_name : "procdump" or process.name : "procdump.exe") and process.args : "-ma"
 56  ) or
 57  (
 58    process.name : "ProcessDump.exe" and not process.parent.executable regex~ """C:\\Program Files( \(x86\))?\\Cisco Systems\\.*"""
 59  ) or
 60  (
 61    (?process.pe.original_file_name : "WriteMiniDump.exe" or process.name : "WriteMiniDump.exe") and
 62      not process.parent.executable regex~ """C:\\Program Files( \(x86\))?\\Steam\\.*"""
 63  ) or
 64  (
 65    (?process.pe.original_file_name : "RUNDLL32.EXE" or process.name : "RUNDLL32.exe") and
 66      (process.args : "*MiniDump*" or process.command_line : "*comsvcs*#*24*")
 67  ) or
 68  (
 69    (?process.pe.original_file_name : "RdrLeakDiag.exe" or process.name : "RdrLeakDiag.exe") and
 70      process.args : "/fullmemdmp"
 71  ) or
 72  (
 73    (?process.pe.original_file_name : "SqlDumper.exe" or process.name : "SqlDumper.exe") and
 74      process.args : "0x01100*") or
 75  (
 76    (?process.pe.original_file_name : "TTTracer.exe" or process.name : "TTTracer.exe") and
 77      process.args : "-dumpFull" and process.args : "-attach") or
 78  (
 79    (?process.pe.original_file_name : "ntdsutil.exe" or process.name : "ntdsutil.exe") and
 80      process.args : "cr*fu*") or
 81  (
 82    (?process.pe.original_file_name : "diskshadow.exe" or process.name : "diskshadow.exe") and process.args : "/s")
 83)
 84'''
 85
 86note = """## Triage and analysis
 87
 88### Investigating Potential Credential Access via Windows Utilities
 89
 90#### Possible investigation steps
 91
 92- Which utility path did the alert take, and is the binary identity credible?
 93  - Focus: `process.name`, `process.pe.original_file_name`, `process.executable`, `process.command_line`, and `process.code_signature.subject_name`.
 94  - Implication: escalate faster when the alert path is a dump-capable utility from a user-writable, renamed, missing expected signer, or unexpected location; lower suspicion only when the utility family, signer, installed path, and command pattern fit one recognized diagnostic, SQL troubleshooting, crash-triage, or AD maintenance workflow. Identity alone does not clear the behavior.
 95
 96- Do the arguments identify a credential-dump objective?
 97  - Focus: `process.command_line`: credential target, dump mode, script path, and output location.
 98  - Hint: high-risk examples include "procdump -ma lsass.exe", Rundll32/comsvcs MiniDump, ntdsutil IFM output, and "diskshadow.exe /s" scripts that expose, copy, exec, or delete shadow-copy paths.
 99  - Implication: escalate when arguments target LSASS, invoke Rundll32/comsvcs dumping, create NTDS/IFM output, drive VSS script execution, or write to user-writable or share paths; lower suspicion when the target is clearly non-credential and the output path matches the same recognized troubleshooting or backup workflow.
100
101- Does the parent chain explain why this host would run a dump or snapshot utility?
102  - Focus: `process.parent.executable`, `process.parent.command_line`, `process.Ext.ancestry`, and `process.Ext.session_info.logon_type`, with `user.id` defining the actor scope.
103  - Implication: escalate when the chain starts from shells, script hosts, Office processes, unexpected services, scheduled tasks, or remote-interactive sessions; lower suspicion only when the same actor, session type, and parent workflow explain the utility launch and do not conflict with command intent.
104
105- If file telemetry is available, did the utility create dump, shadow-copy, or directory database artifacts?
106  - Focus: recover file events with `host.id` + `process.entity_id`; if `process.entity_id` is missing, use `host.id` + `process.pid` + a tight alert window, then review `file.path`, `file.Ext.original.path`, and `file.Ext.header_bytes` for dump files, copied directory-database material, IFM folders, registry hives, shadow-copy output, or archive staging. $investigate_2
107  - Implication: escalate when artifacts show LSASS dumps, AD database or credential-hive collection, shadow-copy access, or staged archives; close cannot rely on absent file events because missing file telemetry is unresolved, not benign.
108
109- Do child processes or connection events show collected material being staged or exported?
110  - Focus: child process starts, file activity, and network activity where `process.parent.entity_id` matches the alerting `process.entity_id` on `host.id`; if network telemetry is available, review `destination.ip`, `destination.port`, and `network.direction`. $investigate_3 $investigate_4
111  - Hint: if the utility spawns a short-lived archiver or copy tool, pivot from that child into same-host connection events before broadening.
112  - Implication: escalate when the utility or child process spawns archivers, copy tools, "diskshadow.exe" exec children, or transfers dump material off-host; missing network telemetry is unresolved, not benign.
113
114- If local findings remain suspicious or unresolved, do related alerts show broader credential-access activity?
115  - Focus: related alerts for `user.id` covering dumping, privilege escalation, lateral movement, archiving, or staging. $investigate_0
116  - Hint: if the actor view is sparse, pivot to related alerts for `host.id` covering precursor access, persistence, archiving, or exfiltration. $investigate_1
117  - Implication: broaden when either view shows a credential-access chain or reuse of the same utility pattern; do not close solely because related alerts are absent if command intent, artifacts, lineage, or post-dump cleanup remain suspicious.
118
119- Disposition: escalate when utility identity, command intent, lineage, artifacts, staging, or related scope indicate credential access; close only when identity, arguments, lineage, recovered artifacts, and supported scope all align with one recognized diagnostic, troubleshooting, crash-triage, backup, or IFM workflow; preserve artifacts and escalate when evidence is mixed or visibility is incomplete.
120
121### False positive analysis
122
123- Recognized crash-triage, SQL troubleshooting, AD backup, or IFM workflows can trigger this rule. Confirm the same workflow across identity (`process.executable`, `process.code_signature.subject_name`), lineage (`process.parent.executable`), intent (`process.command_line`), actor/scope (`user.id`, `host.id`), and recovered artifact paths when available. Case records may corroborate the workflow, but do not close on recurrence alone; use prior alerts only after current telemetry aligns.
124- Build exceptions only from the confirmed recurring workflow: `process.executable`, `process.code_signature.subject_name`, `process.parent.executable`, stable `process.command_line`, `user.id`, `host.id`, and recovered output path or dump-directory pattern when available. Avoid exceptions on `process.name`, `host.id`, utility family, or generic dump switches alone.
125
126### Response and remediation
127
128- If confirmed benign, record the recognized diagnostic, backup, or directory-services evidence in `process.executable`, `process.command_line`, `process.parent.executable`, `user.id`, `host.id`, and recovered output paths when available, then reverse any temporary containment. Create an exception only if that same pattern recurs consistently across prior alerts from this rule.
129- If suspicious but unconfirmed, preserve the recovered `process.entity_id` or `process.pid` with `host.id` and time, `process.command_line`, script-file, dump, shadow-copy, and copied-database paths, child-process lineage via `process.parent.entity_id` / `process.parent.pid`, and any confirmed destination pairs before making destructive changes. Apply reversible containment first, such as temporary destination blocking or increased monitoring on the affected `host.id` and `user.id`. Escalate to host isolation only if dump material, IFM output, or staging transfers are confirmed and the host can tolerate interruption.
130- If confirmed malicious, use endpoint response actions to isolate the host and terminate the dump or staging process after preserving `process.entity_id`, `process.parent.entity_id`, `process.command_line`, recovered output paths, any available `process.hash.sha256`, and confirmed destinations. If direct endpoint response is unavailable, hand off that artifact set immediately to the team that can isolate the system or block the destinations.
131- If LSASS dumping is confirmed, assume exposure for all accounts with active sessions on the affected host, including interactive, service, and cached credentials. Prioritize resets for privileged, service, and lateral-movement-relevant accounts and review whether the dump material was staged or transferred before containment.
132- If NTDS access or dump activity is confirmed on a domain controller, activate the organization's Active Directory compromise response plan, preserve the evidence needed to scope database and credential exposure, and begin privileged-account hygiene based on the systems and accounts implicated by the investigation before deleting copied database material.
133- Review related hosts and users for the same `process.command_line` patterns, dump-file naming patterns, `process.parent.executable`, and confirmed destinations before deleting dump files, IFM output, shadow copies, utilities, or persistence mechanisms uncovered during the investigation, then remediate the delivery or privilege path that allowed the utility to run.
134"""
135
136setup = """## Setup
137
138This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
139
140Setup instructions: https://ela.st/install-elastic-defend
141
142### Additional data sources
143
144This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
145
146- [Microsoft Defender XDR](https://ela.st/m365-defender)
147- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
148- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
149- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
150"""
151
152[rule.investigation_fields]
153field_names = [
154    "@timestamp",
155    "host.id",
156    "user.name",
157    "user.id",
158    "process.entity_id",
159    "process.name",
160    "process.executable",
161    "process.command_line",
162    "process.pe.original_file_name",
163    "process.parent.entity_id",
164    "process.parent.executable",
165    "process.parent.command_line",
166    "process.code_signature.subject_name",
167    "process.code_signature.trusted",
168    "process.Ext.session_info.logon_type",
169]
170
171[[transform.investigate]]
172label = "Alerts associated with the user"
173description = ""
174providers = [
175  [
176    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
177    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
178  ]
179]
180relativeFrom = "now-48h/h"
181relativeTo = "now"
182
183[[transform.investigate]]
184label = "Alerts associated with the host"
185description = ""
186providers = [
187  [
188    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
189    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
190  ]
191]
192relativeFrom = "now-48h/h"
193relativeTo = "now"
194
195[[transform.investigate]]
196label = "File activity for the alerting process and children"
197description = ""
198providers = [
199  [
200    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
201    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
202    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
203  ],
204  [
205    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
206    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
207    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
208  ]
209]
210relativeFrom = "now-1h"
211relativeTo = "now"
212
213[[transform.investigate]]
214label = "Child processes of the alerting process"
215description = ""
216providers = [
217  [
218    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
219    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
220    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
221  ]
222]
223relativeFrom = "now-1h"
224relativeTo = "now"
225
226[[transform.investigate]]
227label = "Network activity for the alerting process and children"
228description = ""
229providers = [
230  [
231    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
232    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
233    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
234  ],
235  [
236    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
237    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
238    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
239  ]
240]
241relativeFrom = "now-1h"
242relativeTo = "now"
243
244[[rule.threat]]
245framework = "MITRE ATT&CK"
246[[rule.threat.technique]]
247id = "T1003"
248name = "OS Credential Dumping"
249reference = "https://attack.mitre.org/techniques/T1003/"
250[[rule.threat.technique.subtechnique]]
251id = "T1003.001"
252name = "LSASS Memory"
253reference = "https://attack.mitre.org/techniques/T1003/001/"
254
255[[rule.threat.technique.subtechnique]]
256id = "T1003.003"
257name = "NTDS"
258reference = "https://attack.mitre.org/techniques/T1003/003/"
259
260[rule.threat.tactic]
261id = "TA0006"
262name = "Credential Access"
263reference = "https://attack.mitre.org/tactics/TA0006/"
264[[rule.threat]]
265framework = "MITRE ATT&CK"
266[[rule.threat.technique]]
267id = "T1218"
268name = "System Binary Proxy Execution"
269reference = "https://attack.mitre.org/techniques/T1218/"
270[[rule.threat.technique.subtechnique]]
271id = "T1218.011"
272name = "Rundll32"
273reference = "https://attack.mitre.org/techniques/T1218/011/"
274
275[rule.threat.tactic]
276id = "TA0005"
277name = "Defense Evasion"
278reference = "https://attack.mitre.org/tactics/TA0005/"