Potential LSASS Memory Dump via PssCaptureSnapShot

calendar May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Credential Access Data Source: Sysmon  ·
Share on: linkedin copy

Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/10/14"
 3integration = ["windows"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are
11performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade
12detection and dump LSASS memory for credential access.
13"""
14from = "now-9m"
15index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Potential LSASS Memory Dump via PssCaptureSnapShot"
19references = [
20    "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
21    "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en",
22]
23risk_score = 73
24rule_id = "0f93cb9a-1931-48c2-8cd0-f173fd3e5283"
25setup = """## Setup
26
27This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold
28rule cardinality feature.
29"""
30severity = "high"
31tags = [
32    "Domain: Endpoint",
33    "OS: Windows",
34    "Use Case: Threat Detection",
35    "Tactic: Credential Access",
36    "Data Source: Sysmon",
37]
38timestamp_override = "event.ingested"
39type = "threshold"
40
41query = '''
42event.category:process and host.os.type:windows and event.code:10 and
43 winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or
44                                 "c:\\Windows\\system32\\lsass.exe" or
45                                 "c:\\Windows\\System32\\lsass.exe")
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1003"
53name = "OS Credential Dumping"
54reference = "https://attack.mitre.org/techniques/T1003/"
55[[rule.threat.technique.subtechnique]]
56id = "T1003.001"
57name = "LSASS Memory"
58reference = "https://attack.mitre.org/techniques/T1003/001/"
59
60
61
62[rule.threat.tactic]
63id = "TA0006"
64name = "Credential Access"
65reference = "https://attack.mitre.org/tactics/TA0006/"
66
67[rule.threshold]
68field = ["process.entity_id"]
69value = 2
70[[rule.threshold.cardinality]]
71field = "winlog.event_data.TargetProcessId"
72value = 2

References

  • Evading WinDefender ATP credential-theft: a hit after a hit-and-miss start :: — uf0

    Intro Recently, I became rather intrigued after reading this article from MSTIC about how Windows Defender Advanced Threat Protection (WDATP) is supposed to detect credential dumping by statistically probing the amount of data read from the LSASS process. A little background is first necessary, though: on a host guarded by WDATP, when a standard credential-dumper such as mimikatz is executed, it should trigger an alert like the following one.


    Read More

  • x.com


    Read More

Related rules

to-top