Potential LSASS Clone Creation via PssCaptureSnapShot
Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/11/27"
3integration = ["windows", "system"]
4maturity = "production"
5updated_date = "2024/10/17"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS
13process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential LSASS Clone Creation via PssCaptureSnapShot"
20references = [
21 "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
22 "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2",
23]
24risk_score = 73
25rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00"
26setup = """## Setup
27
28This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.
29
30If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
31events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
32Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
33`event.ingested` to @timestamp.
34For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
35"""
36severity = "high"
37tags = [
38 "Domain: Endpoint",
39 "OS: Windows",
40 "Use Case: Threat Detection",
41 "Tactic: Credential Access",
42 "Data Source: Sysmon",
43 "Data Source: System",
44]
45timestamp_override = "event.ingested"
46type = "eql"
47
48query = '''
49process where host.os.type == "windows" and event.code:"4688" and
50 process.executable : "?:\\Windows\\System32\\lsass.exe" and
51 process.parent.executable : "?:\\Windows\\System32\\lsass.exe"
52'''
53
54
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1003"
59name = "OS Credential Dumping"
60reference = "https://attack.mitre.org/techniques/T1003/"
61[[rule.threat.technique.subtechnique]]
62id = "T1003.001"
63name = "LSASS Memory"
64reference = "https://attack.mitre.org/techniques/T1003/001/"
65
66
67
68[rule.threat.tactic]
69id = "TA0006"
70name = "Credential Access"
71reference = "https://attack.mitre.org/tactics/TA0006/"
References
Related rules
- Potential Credential Access via Windows Utilities
- Network Logon Provider Registry Modification
- Process Execution from an Unusual Directory
- Unusual Child Process from a System Virtual Process
- Access to a Sensitive LDAP Attribute