Potential Credential Access via LSASS Memory Dump
Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/10/07"
3integration = ["windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export
11the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Potential Credential Access via LSASS Memory Dump"
18references = [
19 "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz",
20 "https://www.elastic.co/security-labs/detect-credential-access",
21]
22risk_score = 73
23rule_id = "9960432d-9b26-409f-972b-839a959e79e2"
24setup = """## Setup
25
26If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
27events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
28Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
29`event.ingested` to @timestamp.
30For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
31"""
32severity = "high"
33tags = [
34 "Domain: Endpoint",
35 "OS: Windows",
36 "Use Case: Threat Detection",
37 "Tactic: Credential Access",
38 "Tactic:Execution",
39 "Data Source: Sysmon",
40]
41timestamp_override = "event.ingested"
42type = "eql"
43
44query = '''
45process where host.os.type == "windows" and event.code == "10" and
46 winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and
47
48 /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/
49 winlog.event_data.CallTrace : ("*dbghelp*", "*dbgcore*") and
50
51 /* case of lsass crashing */
52 not process.executable : (
53 "?:\\Windows\\System32\\WerFault.exe",
54 "?:\\Windows\\SysWOW64\\WerFault.exe",
55 "?:\\Windows\\System32\\WerFaultSecure.exe"
56 )
57'''
58
59
60[[rule.threat]]
61framework = "MITRE ATT&CK"
62[[rule.threat.technique]]
63id = "T1003"
64name = "OS Credential Dumping"
65reference = "https://attack.mitre.org/techniques/T1003/"
66[[rule.threat.technique.subtechnique]]
67id = "T1003.001"
68name = "LSASS Memory"
69reference = "https://attack.mitre.org/techniques/T1003/001/"
70
71
72
73[rule.threat.tactic]
74id = "TA0006"
75name = "Credential Access"
76reference = "https://attack.mitre.org/tactics/TA0006/"
77[[rule.threat]]
78framework = "MITRE ATT&CK"
79[[rule.threat.technique]]
80id = "T1106"
81name = "Native API"
82reference = "https://attack.mitre.org/techniques/T1106/"
83
84
85[rule.threat.tactic]
86id = "TA0002"
87name = "Execution"
88reference = "https://attack.mitre.org/tactics/TA0002/"
References
-
Dumping Lsass Without Mimikatz MiniDumpWriteDump API See my notes about writing a simple custom process dumper using MiniDumpWriteDump API: Dumping Lsass without Mimikatz with MiniDumpWriteDump Tas...
Read More -
Elastic Endpoint Security provides events that enable defenders with visibility on techniques and procedures which are commonly leveraged to access sensitive files and registry objects.
Read More
Related rules
- Command Shell Activity Started via RunDLL32
- Full User-Mode Dumps Enabled System-Wide
- Modification of WDigest Security Provider
- Network Logon Provider Registry Modification
- Potential Credential Access via DuplicateHandle in LSASS