Potential LSASS Clone Creation via PssCaptureSnapShot
Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/11/27"
3integration = ["windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS
11process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Potential LSASS Clone Creation via PssCaptureSnapShot"
18references = [
19 "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
20 "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2",
21]
22risk_score = 73
23rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00"
24setup = """## Setup
25
26This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.
27
28If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
29events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
30Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
31`event.ingested` to @timestamp.
32For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
33"""
34severity = "high"
35tags = [
36 "Domain: Endpoint",
37 "OS: Windows",
38 "Use Case: Threat Detection",
39 "Tactic: Credential Access",
40 "Data Source: Sysmon",
41]
42timestamp_override = "event.ingested"
43type = "eql"
44
45query = '''
46process where host.os.type == "windows" and event.code:"4688" and
47 process.executable : "?:\\Windows\\System32\\lsass.exe" and
48 process.parent.executable : "?:\\Windows\\System32\\lsass.exe"
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1003"
56name = "OS Credential Dumping"
57reference = "https://attack.mitre.org/techniques/T1003/"
58[[rule.threat.technique.subtechnique]]
59id = "T1003.001"
60name = "LSASS Memory"
61reference = "https://attack.mitre.org/techniques/T1003/001/"
62
63
64
65[rule.threat.tactic]
66id = "TA0006"
67name = "Credential Access"
68reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
Intro Recently, I became rather intrigued after reading this article from MSTIC about how Windows Defender Advanced Threat Protection (WDATP) is supposed to detect credential dumping by statistically probing the amount of data read from the LSASS process. A little background is first necessary, though: on a host guarded by WDATP, when a standard credential-dumper such as mimikatz is executed, it should trigger an alert like the following one.
Read More -
Related rules
- Command Shell Activity Started via RunDLL32
- Full User-Mode Dumps Enabled System-Wide
- Modification of WDigest Security Provider
- Network Logon Provider Registry Modification
- Potential Credential Access via DuplicateHandle in LSASS