Suspicious Module Loaded by LSASS
Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/12/28"
3maturity = "production"
4integration = ["endpoint"]
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into
13LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that
14are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Suspicious Module Loaded by LSASS"
21note = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
24"""
25references = [
26 "https://blog.xpnsec.com/exploring-mimikatz-part-2/",
27 "https://github.com/jas502n/mimikat_ssp"
28]
29risk_score = 47
30rule_id = "3a6001a0-0939-4bbe-86f4-47d8faeb7b97"
31severity = "medium"
32tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37library where host.os.type == "windows" and process.executable : "?:\\Windows\\System32\\lsass.exe" and
38 not (dll.code_signature.subject_name :
39 ("Microsoft Windows",
40 "Microsoft Corporation",
41 "Microsoft Windows Publisher",
42 "Microsoft Windows Software Compatibility Publisher",
43 "Microsoft Windows Hardware Compatibility Publisher",
44 "McAfee, Inc.",
45 "SecMaker AB",
46 "HID Global Corporation",
47 "HID Global",
48 "Apple Inc.",
49 "Citrix Systems, Inc.",
50 "Dell Inc",
51 "Hewlett-Packard Company",
52 "Symantec Corporation",
53 "National Instruments Corporation",
54 "DigitalPersona, Inc.",
55 "Novell, Inc.",
56 "gemalto",
57 "EasyAntiCheat Oy",
58 "Entrust Datacard Corporation",
59 "AuriStor, Inc.",
60 "LogMeIn, Inc.",
61 "VMware, Inc.",
62 "Istituto Poligrafico e Zecca dello Stato S.p.A.",
63 "Nubeva Technologies Ltd",
64 "Micro Focus (US), Inc.",
65 "Yubico AB",
66 "GEMALTO SA",
67 "Secure Endpoints, Inc.",
68 "Sophos Ltd",
69 "Morphisec Information Security 2014 Ltd",
70 "Entrust, Inc.",
71 "Nubeva Technologies Ltd",
72 "Micro Focus (US), Inc.",
73 "F5 Networks Inc",
74 "Bit4id",
75 "Thales DIS CPL USA, Inc.",
76 "Micro Focus International plc",
77 "HYPR Corp",
78 "Intel(R) Software Development Products",
79 "PGP Corporation",
80 "Parallels International GmbH",
81 "FrontRange Solutions Deutschland GmbH",
82 "SecureLink, Inc.",
83 "Tidexa OU",
84 "Amazon Web Services, Inc.",
85 "SentryBay Limited",
86 "Audinate Pty Ltd",
87 "CyberArk Software Ltd.",
88 "McAfeeSysPrep",
89 "NVIDIA Corporation PE Sign v2016") and
90 dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining")) and
91
92 not dll.hash.sha256 :
93 ("811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c",
94 "1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1",
95 "ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3",
96 "26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12",
97 "9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa",
98 "d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b",
99 "0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61",
100 "4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb",
101 "86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95")
102'''
103
104
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107[[rule.threat.technique]]
108id = "T1003"
109name = "OS Credential Dumping"
110reference = "https://attack.mitre.org/techniques/T1003/"
111[[rule.threat.technique.subtechnique]]
112id = "T1003.001"
113name = "LSASS Memory"
114reference = "https://attack.mitre.org/techniques/T1003/001/"
115
116
117
118[rule.threat.tactic]
119id = "TA0006"
120name = "Credential Access"
121reference = "https://attack.mitre.org/tactics/TA0006/"
Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.
References
-
If you haven't had a chance to check it out, take a look here. Continuing on, in this post we will review what has become a nice way of subverting security controls added by Microsoft to prevent dumping of credentials, as well as extracting credentials as they are provided by a victim.
Read More -
Security Support Provider Interface. Contribute to jas502n/mimikat_ssp development by creating an account on GitHub.
Read More
Related rules
- Command Shell Activity Started via RunDLL32
- Creation or Modification of Domain Backup DPAPI private key
- Credential Acquisition via Registry Hive Dumping
- Full User-Mode Dumps Enabled System-Wide
- Kerberos Traffic from Unusual Process