Potential Credential Access via DuplicateHandle in LSASS

Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/09/27"
 3integration = ["windows"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate
13an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential Credential Access via DuplicateHandle in LSASS"
20references = ["https://github.com/CCob/MirrorDump"]
21risk_score = 47
22rule_id = "02a4576a-7480-4284-9327-548a806b5e48"
23setup = """## Setup
24
25If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
26events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
27Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
28`event.ingested` to @timestamp.
29For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
30"""
31severity = "medium"
32tags = [
33    "Domain: Endpoint",
34    "OS: Windows",
35    "Use Case: Threat Detection",
36    "Tactic: Credential Access",
37    "Data Source: Sysmon",
38]
39timestamp_override = "event.ingested"
40type = "eql"
41
42query = '''
43process where host.os.type == "windows" and event.code == "10" and
44
45 /* LSASS requesting DuplicateHandle access right to another process */
46 process.name : "lsass.exe" and winlog.event_data.GrantedAccess == "0x40" and
47
48 /* call is coming from an unknown executable region */
49 winlog.event_data.CallTrace : "*UNKNOWN*"
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1003"
57name = "OS Credential Dumping"
58reference = "https://attack.mitre.org/techniques/T1003/"
59[[rule.threat.technique.subtechnique]]
60id = "T1003.001"
61name = "LSASS Memory"
62reference = "https://attack.mitre.org/techniques/T1003/001/"
63
64
65
66[rule.threat.tactic]
67id = "TA0006"
68name = "Credential Access"
69reference = "https://attack.mitre.org/tactics/TA0006/"

References

Related rules

to-top