Potential LSASS Memory Dump via PssCaptureSnapShot
Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/10/14"
3integration = ["windows"]
4maturity = "production"
5min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions."
6min_stack_version = "8.8.0"
7updated_date = "2023/10/23"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are
13performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade
14detection and dump LSASS memory for credential access.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-windows.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Potential LSASS Memory Dump via PssCaptureSnapShot"
21references = [
22 "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
23 "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en",
24]
25risk_score = 73
26rule_id = "0f93cb9a-1931-48c2-8cd0-f173fd3e5283"
27setup = """
28
29This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold
30rule cardinality feature.
31"""
32severity = "high"
33tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"]
34timestamp_override = "event.ingested"
35type = "threshold"
36
37query = '''
38event.category:process and host.os.type:windows and event.code:10 and
39 winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or
40 "c:\\Windows\\system32\\lsass.exe" or
41 "c:\\Windows\\System32\\lsass.exe")
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1003"
49name = "OS Credential Dumping"
50reference = "https://attack.mitre.org/techniques/T1003/"
51[[rule.threat.technique.subtechnique]]
52id = "T1003.001"
53name = "LSASS Memory"
54reference = "https://attack.mitre.org/techniques/T1003/001/"
55
56
57
58[rule.threat.tactic]
59id = "TA0006"
60name = "Credential Access"
61reference = "https://attack.mitre.org/tactics/TA0006/"
62
63[rule.threshold]
64field = ["process.entity_id"]
65value = 2
66[[rule.threshold.cardinality]]
67field = "winlog.event_data.TargetProcessId"
68value = 2
References
Related rules
- Potential Credential Access via DuplicateHandle in LSASS
- Potential Credential Access via LSASS Memory Dump
- Potential Credential Access via Renamed COM+ Services DLL
- Potential LSASS Clone Creation via PssCaptureSnapShot
- Suspicious LSASS Access via MalSecLogon