Potential LSASS Memory Dump via PssCaptureSnapShot
Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/10/14"
3integration = ["windows"]
4maturity = "production"
5min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions."
6min_stack_version = "8.8.0"
7updated_date = "2024/03/08"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are
13performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade
14detection and dump LSASS memory for credential access.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Potential LSASS Memory Dump via PssCaptureSnapShot"
21references = [
22 "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
23 "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en",
24]
25risk_score = 73
26rule_id = "0f93cb9a-1931-48c2-8cd0-f173fd3e5283"
27setup = """## Setup
28
29This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold
30rule cardinality feature.
31"""
32severity = "high"
33tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"]
34timestamp_override = "event.ingested"
35type = "threshold"
36
37query = '''
38event.category:process and host.os.type:windows and event.code:10 and
39 winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or
40 "c:\\Windows\\system32\\lsass.exe" or
41 "c:\\Windows\\System32\\lsass.exe")
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1003"
49name = "OS Credential Dumping"
50reference = "https://attack.mitre.org/techniques/T1003/"
51[[rule.threat.technique.subtechnique]]
52id = "T1003.001"
53name = "LSASS Memory"
54reference = "https://attack.mitre.org/techniques/T1003/001/"
55
56
57
58[rule.threat.tactic]
59id = "TA0006"
60name = "Credential Access"
61reference = "https://attack.mitre.org/tactics/TA0006/"
62
63[rule.threshold]
64field = ["process.entity_id"]
65value = 2
66[[rule.threshold.cardinality]]
67field = "winlog.event_data.TargetProcessId"
68value = 2
References
-
Intro Recently, I became rather intrigued after reading thisarticle from MSTIC about how Windows Defender Advanced Threat Protection (WDATP) is supposed to detect credential dumping by statistically probing the amount of data read from the LSASS process. A little background is first necessary, though: on a host guarded by WDATP, when a standard credential-dumper such as mimikatz is executed, it should trigger an alert like the following one. This alert is, in all likelihood, triggered as a result of mimikatz employing MiniDumpWriteDumpwhen trying accessing the LSASS process, which in turn uses ReadProcessMemoryas a means of copying data from one process address space to another one.
Read More -
Related rules
- Potential Credential Access via DuplicateHandle in LSASS
- Potential Credential Access via LSASS Memory Dump
- Potential Credential Access via Renamed COM+ Services DLL
- Potential LSASS Clone Creation via PssCaptureSnapShot
- Suspicious LSASS Access via MalSecLogon