LSASS Process Access via Windows API

Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/03/02"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: Lsass access events added in Elastic Endpoint 8.7."
 6min_stack_version = "8.7.0"
 7updated_date = "2023/08/28"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.*"]
16language = "eql"
17license = "Elastic License v2"
18name = "LSASS Process Access via Windows API"
19references = ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"]
20risk_score = 47
21rule_id = "ff4599cb-409f-4910-a239-52e4e6f532ff"
22severity = "medium"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
24timestamp_override = "event.ingested"
25type = "eql"
26
27query = '''
28api where host.os.type == "windows" and 
29 process.Ext.api.name in ("OpenProcess", "OpenThread") and Target.process.name : "lsass.exe" and 
30 not process.executable : 
31             ("?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", 
32              "?:\\Program Files\\Microsoft Security Client\\MsMpEng.exe", 
33              "?:\\Program Files*\\Windows Defender\\MsMpEng.exe", 
34              "?:\\Program Files (x86)\\N-able Technologies\\Windows Agent\\bin\\agent.exe", 
35              "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe", 
36              "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe",
37              "?:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", 
38              "?:\\Program Files (x86)\\N-able Technologies\\Reactive\\bin\\NableReactiveManagement.exe", 
39              "?:\\Program Files\\EA\\AC\\EAAntiCheat.GameService.exe", 
40              "?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe", 
41              "?:\\Program Files\\TDAgent\\ossec-agent\\ossec-agent.exe", 
42              "?:\\Windows\\System32\\MRT.exe", 
43              "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\metricbeat.exe", 
44              "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\osqueryd.exe", 
45              "?:\\Windows\\System32\\msiexec.exe", 
46              "?:\\Program Files\\Common Files\\McAfee\\AVSolution\\mcshield.exe", 
47              "?:\\Program Files\\Fortinet\\FortiClient\\FortiProxy.exe", 
48              "?:\\Program Files\\LogicMonitor\\Agent\\bin\\sbshutdown.exe", 
49              "?:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe", 
50              "?:\\Program Files (x86)\\Blackpoint\\SnapAgent\\SnapAgent.exe", 
51              "?:\\Program Files\\ESET\\ESET Security\\ekrn.exe", 
52              "?:\\Program Files\\Huntress\\HuntressAgent.exe", 
53              "?:\\Program Files (x86)\\eScan\\reload.exe", 
54              "?:\\Program Files\\Topaz OFD\\Warsaw\\core.exe")
55'''
56
57
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1003"
62name = "OS Credential Dumping"
63reference = "https://attack.mitre.org/techniques/T1003/"
64[[rule.threat.technique.subtechnique]]
65id = "T1003.001"
66name = "LSASS Memory"
67reference = "https://attack.mitre.org/techniques/T1003/001/"
68
69
70
71[rule.threat.tactic]
72id = "TA0006"
73name = "Credential Access"
74reference = "https://attack.mitre.org/tactics/TA0006/"

References

Related rules

to-top