Potential LSASS Memory Dump via PssCaptureSnapShot
Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/10/14"
3integration = ["windows"]
4maturity = "production"
5updated_date = "2024/10/28"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are
13performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade
14detection and dump LSASS memory for credential access.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Potential LSASS Memory Dump via PssCaptureSnapShot"
21references = [
22 "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
23 "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en",
24]
25risk_score = 73
26rule_id = "0f93cb9a-1931-48c2-8cd0-f173fd3e5283"
27setup = """## Setup
28
29This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold
30rule cardinality feature.
31"""
32severity = "high"
33tags = [
34 "Domain: Endpoint",
35 "OS: Windows",
36 "Use Case: Threat Detection",
37 "Tactic: Credential Access",
38 "Data Source: Sysmon",
39]
40timestamp_override = "event.ingested"
41type = "threshold"
42
43query = '''
44event.category:process and host.os.type:windows and event.code:10 and
45 winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or
46 "c:\\Windows\\system32\\lsass.exe" or
47 "c:\\Windows\\System32\\lsass.exe")
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1003"
55name = "OS Credential Dumping"
56reference = "https://attack.mitre.org/techniques/T1003/"
57[[rule.threat.technique.subtechnique]]
58id = "T1003.001"
59name = "LSASS Memory"
60reference = "https://attack.mitre.org/techniques/T1003/001/"
61
62
63
64[rule.threat.tactic]
65id = "TA0006"
66name = "Credential Access"
67reference = "https://attack.mitre.org/tactics/TA0006/"
68
69[rule.threshold]
70field = ["process.entity_id"]
71value = 2
72[[rule.threshold.cardinality]]
73field = "winlog.event_data.TargetProcessId"
74value = 2
References
-
Intro Recently, I became rather intrigued after reading this article from MSTIC about how Windows Defender Advanced Threat Protection (WDATP) is supposed to detect credential dumping by statistically probing the amount of data read from the LSASS process. A little background is first necessary, though: on a host guarded by WDATP, when a standard credential-dumper such as mimikatz is executed, it should trigger an alert like the following one.
Read More
Related rules
- Network Logon Provider Registry Modification
- Potential Credential Access via Windows Utilities
- Potential LSASS Clone Creation via PssCaptureSnapShot
- Command Shell Activity Started via RunDLL32
- Full User-Mode Dumps Enabled System-Wide