Potential LSASS Memory Dump via PssCaptureSnapShot

Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/10/14"
 3integration = ["windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/02/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are
13performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade
14detection and dump LSASS memory for credential access.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-windows.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Potential LSASS Memory Dump via PssCaptureSnapShot"
21note = """## Setup
22
23This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold
24rule cardinality feature."""
25references = [
26    "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
27    "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en",
28]
29risk_score = 73
30rule_id = "0f93cb9a-1931-48c2-8cd0-f173fd3e5283"
31severity = "high"
32tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"]
33timestamp_override = "event.ingested"
34type = "threshold"
35
36query = '''
37event.category:process and host.os.type:windows and event.code:10 and
38 winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or
39                                 "c:\\Windows\\system32\\lsass.exe" or
40                                 "c:\\Windows\\System32\\lsass.exe")
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1003"
48name = "OS Credential Dumping"
49reference = "https://attack.mitre.org/techniques/T1003/"
50[[rule.threat.technique.subtechnique]]
51id = "T1003.001"
52name = "LSASS Memory"
53reference = "https://attack.mitre.org/techniques/T1003/001/"
54
55
56
57[rule.threat.tactic]
58id = "TA0006"
59name = "Credential Access"
60reference = "https://attack.mitre.org/tactics/TA0006/"
61
62[rule.threshold]
63field = ["process.entity_id"]
64value = 2
65[[rule.threshold.cardinality]]
66field = "winlog.event_data.TargetProcessId"
67value = 2

Setup

This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold rule cardinality feature.

to-top