Suspicious Module Loaded by LSASS

calendar Oct 11, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Credential Access Data Source: Elastic Defend Data Source: Elastic Endgame  ·
Share on: linkedin copy

Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2022/12/28"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2024/10/10"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into
 11LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that
 12are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.library-*", "endgame-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Suspicious Module Loaded by LSASS"
 19references = ["https://blog.xpnsec.com/exploring-mimikatz-part-2/", "https://github.com/jas502n/mimikat_ssp"]
 20risk_score = 47
 21rule_id = "3a6001a0-0939-4bbe-86f4-47d8faeb7b97"
 22severity = "medium"
 23tags = [
 24    "Domain: Endpoint",
 25    "OS: Windows",
 26    "Use Case: Threat Detection",
 27    "Tactic: Credential Access",
 28    "Data Source: Elastic Defend",
 29    "Data Source: Elastic Endgame",
 30]
 31timestamp_override = "event.ingested"
 32type = "eql"
 33
 34query = '''
 35any where event.category in ("library", "driver") and host.os.type == "windows" and
 36  process.executable : "?:\\Windows\\System32\\lsass.exe" and
 37  not (dll.code_signature.subject_name :
 38               ("Microsoft Windows",
 39                "Microsoft Corporation",
 40                "Microsoft Windows Publisher",
 41                "Microsoft Windows Software Compatibility Publisher",
 42                "Microsoft Windows Hardware Compatibility Publisher",
 43                "McAfee, Inc.",
 44                "SecMaker AB",
 45                "HID Global Corporation",
 46                "HID Global",
 47                "Apple Inc.",
 48                "Citrix Systems, Inc.",
 49                "Dell Inc",
 50                "Hewlett-Packard Company",
 51                "Symantec Corporation",
 52                "National Instruments Corporation",
 53                "DigitalPersona, Inc.",
 54                "Novell, Inc.",
 55                "gemalto",
 56                "EasyAntiCheat Oy",
 57                "Entrust Datacard Corporation",
 58                "AuriStor, Inc.",
 59                "LogMeIn, Inc.",
 60                "VMware, Inc.",
 61                "Istituto Poligrafico e Zecca dello Stato S.p.A.",
 62                "Nubeva Technologies Ltd",
 63                "Micro Focus (US), Inc.",
 64                "Yubico AB",
 65                "GEMALTO SA",
 66                "Secure Endpoints, Inc.",
 67                "Sophos Ltd",
 68                "Morphisec Information Security 2014 Ltd",
 69                "Entrust, Inc.",
 70                "Nubeva Technologies Ltd",
 71                "Micro Focus (US), Inc.",
 72                "F5 Networks Inc",
 73                "Bit4id",
 74                "Thales DIS CPL USA, Inc.",
 75                "Micro Focus International plc",
 76                "HYPR Corp",
 77                "Intel(R) Software Development Products",
 78                "PGP Corporation",
 79                "Parallels International GmbH",
 80                "FrontRange Solutions Deutschland GmbH",
 81                "SecureLink, Inc.",
 82                "Tidexa OU",
 83                "Amazon Web Services, Inc.",
 84                "SentryBay Limited",
 85                "Audinate Pty Ltd",
 86                "CyberArk Software Ltd.",
 87                "McAfeeSysPrep",
 88                "NVIDIA Corporation PE Sign v2016",
 89                "Trend Micro, Inc.",
 90                "Fortinet Technologies (Canada) Inc.",
 91                "Carbon Black, Inc.") and
 92       dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining")) and
 93
 94     not dll.hash.sha256 :
 95                ("811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c",
 96                 "1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1",
 97                 "ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3",
 98                 "26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12",
 99                 "9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa",
100                 "d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b",
101                 "0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61",
102                 "4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb",
103                 "86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95")
104'''
105
106
107[[rule.threat]]
108framework = "MITRE ATT&CK"
109[[rule.threat.technique]]
110id = "T1003"
111name = "OS Credential Dumping"
112reference = "https://attack.mitre.org/techniques/T1003/"
113[[rule.threat.technique.subtechnique]]
114id = "T1003.001"
115name = "LSASS Memory"
116reference = "https://attack.mitre.org/techniques/T1003/001/"
117
118
119
120[rule.threat.tactic]
121id = "TA0006"
122name = "Credential Access"
123reference = "https://attack.mitre.org/tactics/TA0006/"

References

Related rules

to-top