Potential Credential Access via DuplicateHandle in LSASS

  1[metadata]
  2creation_date = "2021/09/27"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate
 11an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.
 12"""
 13from = "now-9m"
 14index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Potential Credential Access via DuplicateHandle in LSASS"
 18note = """## Triage and analysis
 19
 20> **Disclaimer**:
 21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 22
 23### Investigating Potential Credential Access via DuplicateHandle in LSASS
 24
 25The Local Security Authority Subsystem Service (LSASS) is crucial for enforcing security policies and managing user credentials in Windows environments. Adversaries may exploit the DuplicateHandle function to access LSASS memory, bypassing traditional API calls to avoid detection. The detection rule identifies suspicious LSASS handle access attempts from unknown modules, flagging potential credential dumping activities.
 26
 27### Possible investigation steps
 28
 29- Review the event logs for the specific event code "10" to gather more details about the suspicious activity, focusing on the process name "lsass.exe" and the granted access "0x40".
 30- Investigate the call trace details where the event data indicates "*UNKNOWN*" to identify any unknown or suspicious modules that may have initiated the DuplicateHandle request.
 31- Correlate the suspicious activity with other security events or alerts on the same host to determine if there are additional indicators of compromise or related malicious activities.
 32- Check the process tree and parent-child relationships of the lsass.exe process to identify any unusual or unauthorized processes that may have interacted with LSASS.
 33- Analyze the timeline of events to understand the sequence of actions leading up to and following the alert, which may help in identifying the adversary's objectives or next steps.
 34- Review recent changes or updates to the system that might have introduced the unknown module or altered the behavior of legitimate processes.
 35
 36### False positive analysis
 37
 38- Legitimate software or security tools that interact with LSASS for monitoring or protection purposes may trigger this rule. Users should identify and whitelist these trusted applications to prevent unnecessary alerts.
 39- System management or administrative scripts that perform legitimate operations on LSASS might be flagged. Review these scripts and, if verified as safe, add them to an exception list to reduce false positives.
 40- Custom in-house applications that require access to LSASS for valid reasons could be mistakenly identified. Conduct a thorough review of these applications and exclude them from the rule if they are deemed non-threatening.
 41- Security testing or penetration testing activities may mimic malicious behavior. Coordinate with security teams to recognize these activities and temporarily adjust the rule settings during testing periods to avoid false alerts.
 42
 43### Response and remediation
 44
 45- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
 46- Terminate any suspicious processes associated with the unknown executable region accessing LSASS to halt potential credential dumping activities.
 47- Conduct a thorough memory analysis of the affected system to identify any malicious artifacts or indicators of compromise related to the DuplicateHandle exploitation.
 48- Reset credentials for all accounts that may have been accessed or compromised, prioritizing high-privilege accounts.
 49- Review and update endpoint protection configurations to ensure they are capable of detecting and blocking similar unauthorized access attempts in the future.
 50- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 51- Implement enhanced monitoring and logging for LSASS and related processes to detect any future attempts to exploit the DuplicateHandle function."""
 52references = ["https://github.com/CCob/MirrorDump"]
 53risk_score = 47
 54rule_id = "02a4576a-7480-4284-9327-548a806b5e48"
 55setup = """## Setup
 56
 57If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 58events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 59Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 60`event.ingested` to @timestamp.
 61For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 62"""
 63severity = "medium"
 64tags = [
 65    "Domain: Endpoint",
 66    "OS: Windows",
 67    "Use Case: Threat Detection",
 68    "Tactic: Credential Access",
 69    "Data Source: Sysmon",
 70    "Resources: Investigation Guide",
 71]
 72timestamp_override = "event.ingested"
 73type = "eql"
 74
 75query = '''
 76process where host.os.type == "windows" and event.code == "10" and
 77
 78 /* LSASS requesting DuplicateHandle access right to another process */
 79 process.name : "lsass.exe" and winlog.event_data.GrantedAccess == "0x40" and
 80
 81 /* call is coming from an unknown executable region */
 82 winlog.event_data.CallTrace : "*UNKNOWN*"
 83'''
 84
 85
 86[[rule.threat]]
 87framework = "MITRE ATT&CK"
 88[[rule.threat.technique]]
 89id = "T1003"
 90name = "OS Credential Dumping"
 91reference = "https://attack.mitre.org/techniques/T1003/"
 92[[rule.threat.technique.subtechnique]]
 93id = "T1003.001"
 94name = "LSASS Memory"
 95reference = "https://attack.mitre.org/techniques/T1003/001/"
 96
 97
 98
 99[rule.threat.tactic]
100id = "TA0006"
101name = "Credential Access"
102reference = "https://attack.mitre.org/tactics/TA0006/"