Potential LSASS Clone Creation via PssCaptureSnapShot

  1[metadata]
  2creation_date = "2021/11/27"
  3integration = ["windows", "system"]
  4maturity = "production"
  5updated_date = "2026/04/27"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS
 11process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
 12"""
 13from = "now-9m"
 14index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Potential LSASS Clone Creation via PssCaptureSnapShot"
 18references = [
 19    "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
 20    "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2",
 21]
 22risk_score = 73
 23rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00"
 24severity = "high"
 25tags = [
 26    "Domain: Endpoint",
 27    "OS: Windows",
 28    "Use Case: Threat Detection",
 29    "Tactic: Credential Access",
 30    "Data Source: Windows Security Event Logs",
 31    "Resources: Investigation Guide",
 32]
 33timestamp_override = "event.ingested"
 34type = "eql"
 35
 36query = '''
 37process where host.os.type == "windows" and event.code:"4688" and
 38  process.executable : "?:\\Windows\\System32\\lsass.exe" and
 39  process.parent.executable : "?:\\Windows\\System32\\lsass.exe"
 40'''
 41
 42note = """## Triage and analysis
 43
 44### Investigating Potential LSASS Clone Creation via PssCaptureSnapShot
 45
 46#### Possible investigation steps
 47
 48- Does the alert-local 4688 event show the LSASS-clone pattern?
 49  - Focus: `event.code`, `process.executable`, `process.parent.executable`, `host.id`, `@timestamp`.
 50  - Implication: treat the alert as clone creation when both paths resolve to lsass.exe on one host; lower suspicion only when the tuple maps to stable EDR, forensic, or debugging workflow.
 51  - Hint: pivot with `host.id` plus `process.entity_id`; if absent, use `host.id`, `process.pid`, and a tight alert-time window.
 52
 53- Do surrounding 4688 events reveal the setup or dump-conversion chain?
 54  - Focus: same-host 4688 around `@timestamp`, especially `process.executable`, `process.command_line`, `process.parent.executable`, `user.id`, and terms such as "PssCaptureSnapshot", "MiniDumpWriteDump", "comsvcs", "rundll32", "WerFault", "procdump", "createdump", archive utilities, or cleanup commands. $investigate_0
 55  - Implication: escalate when shells, PowerShell, dump helpers, archive tools, cleanup, or remote-admin launchers appear without the same recognized collection workflow; absence of helpers leaves the clone unresolved, not benign.
 56
 57- If file telemetry exists, did the clone create dumps, archives, or renamed outputs?
 58  - Focus: same-host file or child-process telemetry for `file.path`, `file.Ext.original.path` matching ".dmp", ".zip", ".7z", or renamed outputs. $investigate_1. If unavailable, use surrounding 4688 commands with output files or archive utilities.
 59  - Implication: escalate when dump paths, archive names, or cleanup commands appear around clone creation. Missing file telemetry is unresolved, not benign.
 60
 61- Do authentication events show follow-on remote use, explicit credentials, or unusual logons?
 62  - Why: clone creation often precedes credential use; later auth can show post-dump pivoting.
 63  - Focus: same-host 4624, 4648, and 4625 around `@timestamp`, using `winlog.event_data.TargetUserName`, `winlog.logon.type`, and `source.ip`. $investigate_2
 64  - Implication: escalate when the host or user quickly shows new remote-interactive, service, or explicit-credential logons from unusual sources. If auth telemetry is missing, record the gap and keep the finding unresolved.
 65
 66- Does same-user or same-host activity repeat the evidence pattern?
 67  - Focus: same-user 48h alerts for helper commands, dump/archive names, or post-clone authentication. $investigate_3
 68  - Hint: if user scope is sparse or the host is shared, review same-host alerts for process, output, and authentication evidence. $investigate_4
 69  - Implication: broaden scope when helper-command, output, or authentication patterns repeat around clone windows; no repeat keeps response local but does not clear the clone.
 70
 71- Escalate for unauthorized LSASS clone creation, dump preparation, post-clone credential use, or clone creation on domain controllers, jump hosts, or privileged admin systems; close only when the alert tuple and recovery evidence bind to one recognized EDR, forensic, or debugging workflow with no conflicting dump-conversion, output, or authentication evidence; preserve artifacts and escalate when answers are mixed or visibility is incomplete.
 72
 73### False positive analysis
 74
 75- Recognized EDR/forensic collection or bounded lab validation can create snapshot-based clones. Require the alert tuple, helper command line, `user.id`, `host.id`, dump-output pattern, and no unexpected 4624 or 4648 activity inside that workflow; use records only to corroborate unresolved telemetry.
 76- Before creating an exception, validate that the same `host.id` and `user.id` cohort repeats the same process identity, helper-command, output-path, and authentication pattern across prior alerts from this rule. Avoid exceptions on "lsass.exe", `event.code`, or `host.id` alone.
 77
 78### Response and remediation
 79
 80- If confirmed benign, reverse temporary containment and document the collection workflow identity, launcher path, actor, host scope, dump-output pattern, and follow-on authentication pattern. Create an exception only if that pattern recurs across prior alerts.
 81- If suspicious but unconfirmed, preserve the alert 4688 event, surrounding helper-process events, command lines, dump/archive paths, rename evidence, affected identities, and post-clone authentication records before containment. Apply reversible containment first, such as heightened monitoring or temporary restrictions on remote admin access; escalate to host isolation only when dump artifacts or post-clone authentication confirm likely credential exposure and the host role can tolerate interruption.
 82- If confirmed malicious, preserve the alert event, helper-process chain, dump/archive paths, rename evidence, and affected identities before containment. Then isolate the host through endpoint response; if unavailable, escalate with preserved evidence. Block confirmed remote-auth or transfer sources before cleanup.
 83- On domain controllers, jump hosts, or privileged admin systems, scope which local, cached, service, or domain credentials may have been exposed, then reset or rotate affected credentials before removing collected artifacts.
 84- Before eradication, review related hosts and users for the same helper-process pattern, dump path, `winlog.logon.type`, or `source.ip` indicators. Then remove dump files, archives, helper tools, and persistence, and remediate the access or privilege path that enabled clone creation.
 85- Post-incident hardening: restrict memory-acquisition and dump tooling to recognized admin cohorts, retain supplemental file telemetry where its absence limited the case, and document the confirmed workflow or malicious pattern for future triage.
 86"""
 87
 88setup = """## Setup
 89
 90Audit Process Creation and Command Line must be enabled to generate the events used by this rule.
 91Setup instructions: https://ela.st/audit-process-creation
 92"""
 93
 94[rule.investigation_fields]
 95field_names = [
 96    "@timestamp",
 97    "host.name",
 98    "host.id",
 99    "user.name",
100    "user.id",
101    "user.domain",
102    "process.entity_id",
103    "process.pid",
104    "process.executable",
105    "process.command_line",
106    "process.parent.entity_id",
107    "process.parent.pid",
108    "process.parent.name",
109    "process.parent.executable",
110    "process.parent.command_line",
111]
112
113[transform]
114
115[[transform.investigate]]
116label = "Same-host 4688 process creation events"
117description = ""
118providers = [
119  [
120    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
121    { excluded = false, field = "event.code", queryType = "phrase", value = "4688", valueType = "string" }
122  ]
123]
124relativeFrom = "now-1h"
125relativeTo = "now"
126
127[[transform.investigate]]
128label = "File activity on the affected host"
129description = ""
130providers = [
131  [
132    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
133    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
134  ]
135]
136relativeFrom = "now-1h"
137relativeTo = "now"
138
139[[transform.investigate]]
140label = "Authentication events on the affected host"
141description = ""
142providers = [
143  [
144    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
145    { excluded = false, field = "event.code", queryType = "phrase", value = "4624", valueType = "string" }
146  ],
147  [
148    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
149    { excluded = false, field = "event.code", queryType = "phrase", value = "4648", valueType = "string" }
150  ],
151  [
152    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
153    { excluded = false, field = "event.code", queryType = "phrase", value = "4625", valueType = "string" }
154  ]
155]
156relativeFrom = "now-1h"
157relativeTo = "now"
158
159[[transform.investigate]]
160label = "Alerts associated with the user"
161description = ""
162providers = [
163  [
164    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
165    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
166  ]
167]
168relativeFrom = "now-48h/h"
169relativeTo = "now"
170
171[[transform.investigate]]
172label = "Alerts associated with the host"
173description = ""
174providers = [
175  [
176    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
177    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
178  ]
179]
180relativeFrom = "now-48h/h"
181relativeTo = "now"
182
183[[rule.threat]]
184framework = "MITRE ATT&CK"
185[[rule.threat.technique]]
186id = "T1003"
187name = "OS Credential Dumping"
188reference = "https://attack.mitre.org/techniques/T1003/"
189[[rule.threat.technique.subtechnique]]
190id = "T1003.001"
191name = "LSASS Memory"
192reference = "https://attack.mitre.org/techniques/T1003/001/"
193
194[rule.threat.tactic]
195id = "TA0006"
196name = "Credential Access"
197reference = "https://attack.mitre.org/tactics/TA0006/"