Potential LSASS Memory Dump via PssCaptureSnapShot
Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/10/14"
3integration = ["windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are
11performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade
12detection and dump LSASS memory for credential access.
13"""
14from = "now-9m"
15index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Potential LSASS Memory Dump via PssCaptureSnapShot"
19references = [
20 "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
21 "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en",
22]
23risk_score = 73
24rule_id = "0f93cb9a-1931-48c2-8cd0-f173fd3e5283"
25setup = """## Setup
26
27This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold
28rule cardinality feature.
29"""
30severity = "high"
31tags = [
32 "Domain: Endpoint",
33 "OS: Windows",
34 "Use Case: Threat Detection",
35 "Tactic: Credential Access",
36 "Data Source: Sysmon",
37]
38timestamp_override = "event.ingested"
39type = "threshold"
40
41query = '''
42event.category:process and host.os.type:windows and event.code:10 and
43 winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or
44 "c:\\Windows\\system32\\lsass.exe" or
45 "c:\\Windows\\System32\\lsass.exe")
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1003"
53name = "OS Credential Dumping"
54reference = "https://attack.mitre.org/techniques/T1003/"
55[[rule.threat.technique.subtechnique]]
56id = "T1003.001"
57name = "LSASS Memory"
58reference = "https://attack.mitre.org/techniques/T1003/001/"
59
60
61
62[rule.threat.tactic]
63id = "TA0006"
64name = "Credential Access"
65reference = "https://attack.mitre.org/tactics/TA0006/"
66
67[rule.threshold]
68field = ["process.entity_id"]
69value = 2
70[[rule.threshold.cardinality]]
71field = "winlog.event_data.TargetProcessId"
72value = 2
References
Related rules
- Command Shell Activity Started via RunDLL32
- Full User-Mode Dumps Enabled System-Wide
- Modification of WDigest Security Provider
- Network Logon Provider Registry Modification
- Potential Credential Access via DuplicateHandle in LSASS