Potential LSASS Clone Creation via PssCaptureSnapShot
Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/11/27"
3integration = ["windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/08"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS
13process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential LSASS Clone Creation via PssCaptureSnapShot"
20references = [
21 "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
22 "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2",
23]
24risk_score = 73
25rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00"
26setup = """## Setup
27
28This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.
29
30If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
31events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
32Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
33`event.ingested` to @timestamp.
34For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
35"""
36severity = "high"
37tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"]
38timestamp_override = "event.ingested"
39type = "eql"
40
41query = '''
42process where host.os.type == "windows" and event.code:"4688" and
43 process.executable : "?:\\Windows\\System32\\lsass.exe" and
44 process.parent.executable : "?:\\Windows\\System32\\lsass.exe"
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1003"
52name = "OS Credential Dumping"
53reference = "https://attack.mitre.org/techniques/T1003/"
54[[rule.threat.technique.subtechnique]]
55id = "T1003.001"
56name = "LSASS Memory"
57reference = "https://attack.mitre.org/techniques/T1003/001/"
58
59
60
61[rule.threat.tactic]
62id = "TA0006"
63name = "Credential Access"
64reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
Intro Recently, I became rather intrigued after reading thisarticle from MSTIC about how Windows Defender Advanced Threat Protection (WDATP) is supposed to detect credential dumping by statistically probing the amount of data read from the LSASS process. A little background is first necessary, though: on a host guarded by WDATP, when a standard credential-dumper such as mimikatz is executed, it should trigger an alert like the following one. This alert is, in all likelihood, triggered as a result of mimikatz employing MiniDumpWriteDumpwhen trying accessing the LSASS process, which in turn uses ReadProcessMemoryas a means of copying data from one process address space to another one.
Read More -
Related rules
- Potential Credential Access via DuplicateHandle in LSASS
- Potential Credential Access via LSASS Memory Dump
- Potential Credential Access via Renamed COM+ Services DLL
- Potential LSASS Memory Dump via PssCaptureSnapShot
- Suspicious LSASS Access via MalSecLogon