Potential Credential Access via LSASS Memory Dump
Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/10/07"
3integration = ["windows"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export
13the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential Credential Access via LSASS Memory Dump"
20references = [
21 "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz",
22 "https://www.elastic.co/security-labs/detect-credential-access",
23 "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper",
24]
25risk_score = 73
26rule_id = "9960432d-9b26-409f-972b-839a959e79e2"
27setup = """## Setup
28
29If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
30events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
31Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
32`event.ingested` to @timestamp.
33For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
34"""
35severity = "high"
36tags = [
37 "Domain: Endpoint",
38 "OS: Windows",
39 "Use Case: Threat Detection",
40 "Tactic: Credential Access",
41 "Tactic:Execution",
42 "Data Source: Sysmon",
43]
44timestamp_override = "event.ingested"
45type = "eql"
46
47query = '''
48process where host.os.type == "windows" and event.code == "10" and
49 winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and
50
51 /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/
52 winlog.event_data.CallTrace : ("*dbghelp*", "*dbgcore*") and
53
54 /* case of lsass crashing */
55 not process.executable : (
56 "?:\\Windows\\System32\\WerFault.exe",
57 "?:\\Windows\\SysWOW64\\WerFault.exe",
58 "?:\\Windows\\System32\\WerFaultSecure.exe"
59 )
60'''
61
62
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1003"
67name = "OS Credential Dumping"
68reference = "https://attack.mitre.org/techniques/T1003/"
69[[rule.threat.technique.subtechnique]]
70id = "T1003.001"
71name = "LSASS Memory"
72reference = "https://attack.mitre.org/techniques/T1003/001/"
73
74
75
76[rule.threat.tactic]
77id = "TA0006"
78name = "Credential Access"
79reference = "https://attack.mitre.org/tactics/TA0006/"
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82[[rule.threat.technique]]
83id = "T1106"
84name = "Native API"
85reference = "https://attack.mitre.org/techniques/T1106/"
86
87
88[rule.threat.tactic]
89id = "TA0002"
90name = "Execution"
91reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Command Shell Activity Started via RunDLL32
- Creation or Modification of Domain Backup DPAPI private key
- Credential Acquisition via Registry Hive Dumping
- Full User-Mode Dumps Enabled System-Wide
- Kirbi File Creation