Potential Credential Access via LSASS Memory Dump
Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/10/07"
3integration = ["windows"]
4maturity = "production"
5min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions."
6min_stack_version = "8.8.0"
7updated_date = "2024/03/08"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export
13the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential Credential Access via LSASS Memory Dump"
20references = [
21 "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz",
22 "https://www.elastic.co/security-labs/detect-credential-access",
23]
24risk_score = 73
25rule_id = "9960432d-9b26-409f-972b-839a959e79e2"
26setup = """## Setup
27
28If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
29events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
30Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
31`event.ingested` to @timestamp.
32For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
33"""
34severity = "high"
35tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic:Execution", "Data Source: Sysmon"]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40process where host.os.type == "windows" and event.code == "10" and
41 winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and
42
43 /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/
44 winlog.event_data.CallTrace : ("*dbghelp*", "*dbgcore*") and
45
46 /* case of lsass crashing */
47 not process.executable : (
48 "?:\\Windows\\System32\\WerFault.exe",
49 "?:\\Windows\\SysWOW64\\WerFault.exe",
50 "?:\\Windows\\System32\\WerFaultSecure.exe"
51 )
52'''
53
54
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1003"
59name = "OS Credential Dumping"
60reference = "https://attack.mitre.org/techniques/T1003/"
61[[rule.threat.technique.subtechnique]]
62id = "T1003.001"
63name = "LSASS Memory"
64reference = "https://attack.mitre.org/techniques/T1003/001/"
65
66
67
68[rule.threat.tactic]
69id = "TA0006"
70name = "Credential Access"
71reference = "https://attack.mitre.org/tactics/TA0006/"
72
73[[rule.threat]]
74framework = "MITRE ATT&CK"
75
76[[rule.threat.technique]]
77id = "T1106"
78name = "Native API"
79reference = "https://attack.mitre.org/techniques/T1106/"
80
81
82[rule.threat.tactic]
83id = "TA0002"
84name = "Execution"
85reference = "https://attack.mitre.org/tactics/TA0002/"
References
-
Dumping Lsass Without Mimikatz MiniDumpWriteDump API See my notes about writing a simple custom process dumper using MiniDumpWriteDump API: pageDumping Lsass without Mimikatz with MiniDumpWriteDump...
Read More -
Elastic Endpoint Security provides events that enable defenders with visibility on techniques and procedures which are commonly leveraged to access sensitive files and registry objects.
Read More
Related rules
- Potential Credential Access via DuplicateHandle in LSASS
- Potential Credential Access via Renamed COM+ Services DLL
- Potential LSASS Clone Creation via PssCaptureSnapShot
- Potential LSASS Memory Dump via PssCaptureSnapShot
- Suspicious LSASS Access via MalSecLogon