Potential Credential Access via LSASS Memory Dump

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Credential Access Tactic:Execution Data Source: Sysmon  ·
Share on: linkedin copy

Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/10/07"
 3integration = ["windows"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export
13the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential Credential Access via LSASS Memory Dump"
20references = [
21    "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz",
22    "https://www.elastic.co/security-labs/detect-credential-access",
23    "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper",
24]
25risk_score = 73
26rule_id = "9960432d-9b26-409f-972b-839a959e79e2"
27setup = """## Setup
28
29If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
30events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
31Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
32`event.ingested` to @timestamp.
33For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
34"""
35severity = "high"
36tags = [
37    "Domain: Endpoint",
38    "OS: Windows",
39    "Use Case: Threat Detection",
40    "Tactic: Credential Access",
41    "Tactic:Execution",
42    "Data Source: Sysmon",
43]
44timestamp_override = "event.ingested"
45type = "eql"
46
47query = '''
48process where host.os.type == "windows" and event.code == "10" and
49  winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and
50
51   /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/
52  winlog.event_data.CallTrace : ("*dbghelp*", "*dbgcore*") and
53
54   /* case of lsass crashing */
55  not process.executable : (
56        "?:\\Windows\\System32\\WerFault.exe",
57        "?:\\Windows\\SysWOW64\\WerFault.exe",
58        "?:\\Windows\\System32\\WerFaultSecure.exe"
59      )
60'''
61
62
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1003"
67name = "OS Credential Dumping"
68reference = "https://attack.mitre.org/techniques/T1003/"
69[[rule.threat.technique.subtechnique]]
70id = "T1003.001"
71name = "LSASS Memory"
72reference = "https://attack.mitre.org/techniques/T1003/001/"
73
74
75
76[rule.threat.tactic]
77id = "TA0006"
78name = "Credential Access"
79reference = "https://attack.mitre.org/tactics/TA0006/"
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82[[rule.threat.technique]]
83id = "T1106"
84name = "Native API"
85reference = "https://attack.mitre.org/techniques/T1106/"
86
87
88[rule.threat.tactic]
89id = "TA0002"
90name = "Execution"
91reference = "https://attack.mitre.org/tactics/TA0002/"

References

Related rules

to-top