Potential LSASS Memory Dump via PssCaptureSnapShot

  1[metadata]
  2creation_date = "2021/10/14"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are
 11performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade
 12detection and dump LSASS memory for credential access.
 13"""
 14from = "now-9m"
 15index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
 16language = "kuery"
 17license = "Elastic License v2"
 18name = "Potential LSASS Memory Dump via PssCaptureSnapShot"
 19note = """## Triage and analysis
 20
 21> **Disclaimer**:
 22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 23
 24### Investigating Potential LSASS Memory Dump via PssCaptureSnapShot
 25
 26PssCaptureSnapShot is a Windows feature used for capturing process snapshots, aiding in diagnostics and debugging. Adversaries exploit this to access LSASS memory, aiming to extract credentials. The detection rule identifies suspicious behavior by monitoring for repeated access to LSASS by the same process, targeting different instances, which may indicate an evasion attempt to dump credentials stealthily.
 27
 28### Possible investigation steps
 29
 30- Review the event logs for the specific event code 10 to gather details about the process that accessed the LSASS handle, including the process name, process ID, and the time of access.
 31- Check the process execution history on the host to determine if the process accessing LSASS is legitimate or potentially malicious. Look for any unusual or unexpected processes that might have been executed around the time of the alert.
 32- Investigate the parent process of the suspicious process to understand how it was initiated and whether it was spawned by a legitimate application or a known malicious process.
 33- Analyze the network activity of the host around the time of the alert to identify any suspicious outbound connections that might indicate data exfiltration attempts.
 34- Correlate the alert with other security events or alerts from the same host or user account to identify any patterns or additional indicators of compromise.
 35- Verify the integrity and security posture of the host by checking for any unauthorized changes to system files or configurations, especially those related to security settings.
 36
 37### False positive analysis
 38
 39- Legitimate diagnostic tools or software that utilize PssCaptureSnapShot for debugging purposes may trigger this rule. Users should identify and whitelist these trusted applications to prevent false positives.
 40- System administrators or security tools performing regular health checks on LSASS might access LSASS memory in a non-malicious manner. Exclude these known processes by creating exceptions based on their process names or hashes.
 41- Automated scripts or maintenance tasks that interact with LSASS for legitimate reasons could be flagged. Review and document these tasks, then configure the rule to ignore these specific activities.
 42- Security software updates or patches that temporarily access LSASS for validation or configuration purposes may cause alerts. Monitor update schedules and adjust the rule to accommodate these temporary accesses.
 43
 44### Response and remediation
 45
 46- Immediately isolate the affected host from the network to prevent further unauthorized access or data exfiltration.
 47- Terminate any suspicious processes identified as accessing LSASS memory using PssCaptureSnapShot to halt potential credential dumping activities.
 48- Conduct a thorough review of the affected system's event logs, focusing on event code 10, to identify any additional instances of suspicious LSASS access and determine the scope of the compromise.
 49- Change all potentially compromised credentials, especially those with administrative privileges, to mitigate the risk of unauthorized access using dumped credentials.
 50- Apply the latest security patches and updates to the affected system to address any vulnerabilities that may have been exploited.
 51- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 52- Enhance monitoring and detection capabilities by ensuring that similar suspicious activities are logged and alerted on, using the specific query fields and threat indicators identified in this alert."""
 53references = [
 54    "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
 55    "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en",
 56]
 57risk_score = 73
 58rule_id = "0f93cb9a-1931-48c2-8cd0-f173fd3e5283"
 59setup = """## Setup
 60
 61This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold
 62rule cardinality feature.
 63"""
 64severity = "high"
 65tags = [
 66    "Domain: Endpoint",
 67    "OS: Windows",
 68    "Use Case: Threat Detection",
 69    "Tactic: Credential Access",
 70    "Data Source: Sysmon",
 71    "Resources: Investigation Guide",
 72]
 73timestamp_override = "event.ingested"
 74type = "threshold"
 75
 76query = '''
 77event.category:process and host.os.type:windows and event.code:10 and
 78 winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or
 79                                 "c:\\Windows\\system32\\lsass.exe" or
 80                                 "c:\\Windows\\System32\\lsass.exe")
 81'''
 82
 83
 84[[rule.threat]]
 85framework = "MITRE ATT&CK"
 86[[rule.threat.technique]]
 87id = "T1003"
 88name = "OS Credential Dumping"
 89reference = "https://attack.mitre.org/techniques/T1003/"
 90[[rule.threat.technique.subtechnique]]
 91id = "T1003.001"
 92name = "LSASS Memory"
 93reference = "https://attack.mitre.org/techniques/T1003/001/"
 94
 95
 96
 97[rule.threat.tactic]
 98id = "TA0006"
 99name = "Credential Access"
100reference = "https://attack.mitre.org/tactics/TA0006/"
101
102[rule.threshold]
103field = ["process.entity_id"]
104value = 2
105[[rule.threshold.cardinality]]
106field = "winlog.event_data.TargetProcessId"
107value = 2