Potential Credential Access via DuplicateHandle in LSASS
Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/09/27"
3integration = ["windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate
11an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Potential Credential Access via DuplicateHandle in LSASS"
18references = ["https://github.com/CCob/MirrorDump"]
19risk_score = 47
20rule_id = "02a4576a-7480-4284-9327-548a806b5e48"
21setup = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
24events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
25Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
26`event.ingested` to @timestamp.
27For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
28"""
29severity = "medium"
30tags = [
31 "Domain: Endpoint",
32 "OS: Windows",
33 "Use Case: Threat Detection",
34 "Tactic: Credential Access",
35 "Data Source: Sysmon",
36]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41process where host.os.type == "windows" and event.code == "10" and
42
43 /* LSASS requesting DuplicateHandle access right to another process */
44 process.name : "lsass.exe" and winlog.event_data.GrantedAccess == "0x40" and
45
46 /* call is coming from an unknown executable region */
47 winlog.event_data.CallTrace : "*UNKNOWN*"
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1003"
55name = "OS Credential Dumping"
56reference = "https://attack.mitre.org/techniques/T1003/"
57[[rule.threat.technique.subtechnique]]
58id = "T1003.001"
59name = "LSASS Memory"
60reference = "https://attack.mitre.org/techniques/T1003/001/"
61
62
63
64[rule.threat.tactic]
65id = "TA0006"
66name = "Credential Access"
67reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory - CCob/MirrorDump
Read More
Related rules
- Command Shell Activity Started via RunDLL32
- Full User-Mode Dumps Enabled System-Wide
- Modification of WDigest Security Provider
- Network Logon Provider Registry Modification
- Potential Credential Access via LSASS Memory Dump