Potential Credential Access via DuplicateHandle in LSASS
Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/09/27"
3integration = ["windows"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate
13an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential Credential Access via DuplicateHandle in LSASS"
20references = ["https://github.com/CCob/MirrorDump"]
21risk_score = 47
22rule_id = "02a4576a-7480-4284-9327-548a806b5e48"
23setup = """## Setup
24
25If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
26events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
27Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
28`event.ingested` to @timestamp.
29For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
30"""
31severity = "medium"
32tags = [
33 "Domain: Endpoint",
34 "OS: Windows",
35 "Use Case: Threat Detection",
36 "Tactic: Credential Access",
37 "Data Source: Sysmon",
38]
39timestamp_override = "event.ingested"
40type = "eql"
41
42query = '''
43process where host.os.type == "windows" and event.code == "10" and
44
45 /* LSASS requesting DuplicateHandle access right to another process */
46 process.name : "lsass.exe" and winlog.event_data.GrantedAccess == "0x40" and
47
48 /* call is coming from an unknown executable region */
49 winlog.event_data.CallTrace : "*UNKNOWN*"
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1003"
57name = "OS Credential Dumping"
58reference = "https://attack.mitre.org/techniques/T1003/"
59[[rule.threat.technique.subtechnique]]
60id = "T1003.001"
61name = "LSASS Memory"
62reference = "https://attack.mitre.org/techniques/T1003/001/"
63
64
65
66[rule.threat.tactic]
67id = "TA0006"
68name = "Credential Access"
69reference = "https://attack.mitre.org/tactics/TA0006/"
References
Related rules
- Command Shell Activity Started via RunDLL32
- Creation or Modification of Domain Backup DPAPI private key
- Credential Acquisition via Registry Hive Dumping
- Full User-Mode Dumps Enabled System-Wide
- Kirbi File Creation