Potential Credential Access via DuplicateHandle in LSASS
Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/09/27"
3integration = ["windows"]
4maturity = "production"
5min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions."
6min_stack_version = "8.8.0"
7updated_date = "2024/03/08"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate
13an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential Credential Access via DuplicateHandle in LSASS"
20references = ["https://github.com/CCob/MirrorDump"]
21risk_score = 47
22rule_id = "02a4576a-7480-4284-9327-548a806b5e48"
23setup = """## Setup
24
25If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
26events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
27Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
28`event.ingested` to @timestamp.
29For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
30"""
31severity = "medium"
32tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37process where host.os.type == "windows" and event.code == "10" and
38
39 /* LSASS requesting DuplicateHandle access right to another process */
40 process.name : "lsass.exe" and winlog.event_data.GrantedAccess == "0x40" and
41
42 /* call is coming from an unknown executable region */
43 winlog.event_data.CallTrace : "*UNKNOWN*"
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1003"
51name = "OS Credential Dumping"
52reference = "https://attack.mitre.org/techniques/T1003/"
53[[rule.threat.technique.subtechnique]]
54id = "T1003.001"
55name = "LSASS Memory"
56reference = "https://attack.mitre.org/techniques/T1003/001/"
57
58
59
60[rule.threat.tactic]
61id = "TA0006"
62name = "Credential Access"
63reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory - CCob/MirrorDump
Read More
Related rules
- Potential Credential Access via LSASS Memory Dump
- Potential Credential Access via Renamed COM+ Services DLL
- Potential LSASS Clone Creation via PssCaptureSnapShot
- Potential LSASS Memory Dump via PssCaptureSnapShot
- Suspicious LSASS Access via MalSecLogon