Suspicious Module Loaded by LSASS

  1[metadata]
  2creation_date = "2022/12/28"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into
 11LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that
 12are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.library-*", "endgame-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Suspicious Module Loaded by LSASS"
 19references = ["https://blog.xpnsec.com/exploring-mimikatz-part-2/", "https://github.com/jas502n/mimikat_ssp"]
 20risk_score = 47
 21rule_id = "3a6001a0-0939-4bbe-86f4-47d8faeb7b97"
 22severity = "medium"
 23tags = [
 24    "Domain: Endpoint",
 25    "OS: Windows",
 26    "Use Case: Threat Detection",
 27    "Tactic: Credential Access",
 28    "Data Source: Elastic Defend",
 29    "Data Source: Elastic Endgame",
 30    "Resources: Investigation Guide",
 31]
 32timestamp_override = "event.ingested"
 33type = "eql"
 34
 35query = '''
 36any where event.category in ("library", "driver") and host.os.type == "windows" and
 37  process.executable : "?:\\Windows\\System32\\lsass.exe" and
 38  not (dll.code_signature.subject_name :
 39               ("Microsoft Windows",
 40                "Microsoft Corporation",
 41                "Microsoft Windows Publisher",
 42                "Microsoft Windows Software Compatibility Publisher",
 43                "Microsoft Windows Hardware Compatibility Publisher",
 44                "McAfee, Inc.",
 45                "SecMaker AB",
 46                "HID Global Corporation",
 47                "HID Global",
 48                "Apple Inc.",
 49                "Citrix Systems, Inc.",
 50                "Dell Inc",
 51                "Hewlett-Packard Company",
 52                "Symantec Corporation",
 53                "National Instruments Corporation",
 54                "DigitalPersona, Inc.",
 55                "Novell, Inc.",
 56                "gemalto",
 57                "EasyAntiCheat Oy",
 58                "Entrust Datacard Corporation",
 59                "AuriStor, Inc.",
 60                "LogMeIn, Inc.",
 61                "VMware, Inc.",
 62                "Istituto Poligrafico e Zecca dello Stato S.p.A.",
 63                "Nubeva Technologies Ltd",
 64                "Micro Focus (US), Inc.",
 65                "Yubico AB",
 66                "GEMALTO SA",
 67                "Secure Endpoints, Inc.",
 68                "Sophos Ltd",
 69                "Morphisec Information Security 2014 Ltd",
 70                "Entrust, Inc.",
 71                "Nubeva Technologies Ltd",
 72                "Micro Focus (US), Inc.",
 73                "F5 Networks Inc",
 74                "Bit4id",
 75                "Thales DIS CPL USA, Inc.",
 76                "Micro Focus International plc",
 77                "HYPR Corp",
 78                "Intel(R) Software Development Products",
 79                "PGP Corporation",
 80                "Parallels International GmbH",
 81                "FrontRange Solutions Deutschland GmbH",
 82                "SecureLink, Inc.",
 83                "Tidexa OU",
 84                "Amazon Web Services, Inc.",
 85                "SentryBay Limited",
 86                "Audinate Pty Ltd",
 87                "CyberArk Software Ltd.",
 88                "McAfeeSysPrep",
 89                "NVIDIA Corporation PE Sign v2016",
 90                "Trend Micro, Inc.",
 91                "Fortinet Technologies (Canada) Inc.",
 92                "Carbon Black, Inc.") and
 93       dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining")) and
 94
 95     not dll.hash.sha256 :
 96                ("811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c",
 97                 "1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1",
 98                 "ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3",
 99                 "26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12",
100                 "9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa",
101                 "d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b",
102                 "0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61",
103                 "4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb",
104                 "86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95")
105'''
106note = """## Triage and analysis
107
108> **Disclaimer**:
109> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
110
111### Investigating Suspicious Module Loaded by LSASS
112
113The Local Security Authority Subsystem Service (LSASS) is crucial for managing security policies and handling user authentication in Windows environments. Adversaries exploit LSASS by loading malicious or untrusted DLLs to access sensitive credentials. The detection rule identifies such threats by monitoring LSASS for unsigned or untrusted DLLs, excluding known safe signatures and hashes, thus flagging potential credential dumping activities.
114
115### Possible investigation steps
116
117- Review the process details for lsass.exe to confirm the presence of any unsigned or untrusted DLLs loaded into the process. Pay particular attention to the DLL's code signature status and hash values.
118- Cross-reference the identified DLL's hash against known malicious hashes in threat intelligence databases to determine if it is associated with any known threats.
119- Investigate the source and path of the suspicious DLL to understand how it was introduced into the system. This may involve checking recent file creation or modification events in the system directories.
120- Analyze the system's event logs for any related activities or anomalies around the time the suspicious DLL was loaded, such as unusual user logins or privilege escalation attempts.
121- Check for any recent changes in the system's security settings or policies that might have allowed the loading of untrusted DLLs into LSASS.
122- If the DLL is confirmed to be malicious, isolate the affected system to prevent further credential access or lateral movement within the network.
123
124### False positive analysis
125
126- Legitimate software from trusted vendors not included in the exclusion list may trigger false positives. Users can update the exclusion list with additional trusted signatures or hashes from verified vendors to prevent these alerts.
127- Custom or in-house developed DLLs used within the organization might be flagged as suspicious. Organizations should ensure these DLLs are signed with a trusted certificate and add their signatures to the exclusion list if necessary.
128- Security software updates or patches from vendors not currently listed may cause false positives. Regularly review and update the exclusion list to include new trusted signatures from security software providers.
129- Temporary or expired certificates for legitimate DLLs can result in false positives. Users should verify the legitimacy of these DLLs and update the exclusion list with their signatures if they are confirmed safe.
130- DLLs from newly installed software that are not yet recognized as trusted may be flagged. Users should validate the software's source and add its signatures to the exclusion list if it is deemed secure.
131
132### Response and remediation
133
134- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
135- Terminate the LSASS process if it is confirmed to be running a malicious or untrusted DLL, ensuring that this action does not disrupt critical services.
136- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or remnants.
137- Review and reset credentials for any accounts that may have been compromised, focusing on those with elevated privileges.
138- Implement application whitelisting to prevent unauthorized DLLs from being loaded into critical processes like LSASS in the future.
139- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
140- Update security monitoring tools to enhance detection capabilities for similar threats, ensuring that alerts are generated for any future attempts to load untrusted DLLs into LSASS."""
141
142
143[[rule.threat]]
144framework = "MITRE ATT&CK"
145[[rule.threat.technique]]
146id = "T1003"
147name = "OS Credential Dumping"
148reference = "https://attack.mitre.org/techniques/T1003/"
149[[rule.threat.technique.subtechnique]]
150id = "T1003.001"
151name = "LSASS Memory"
152reference = "https://attack.mitre.org/techniques/T1003/001/"
153
154
155
156[rule.threat.tactic]
157id = "TA0006"
158name = "Credential Access"
159reference = "https://attack.mitre.org/tactics/TA0006/"