Potential LSASS Clone Creation via PssCaptureSnapShot

 1[metadata]
 2creation_date = "2021/11/27"
 3integration = ["windows", "system"]
 4maturity = "production"
 5updated_date = "2025/03/20"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS
11process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
12"""
13from = "now-9m"
14index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Potential LSASS Clone Creation via PssCaptureSnapShot"
18note = """## Triage and analysis
19
20> **Disclaimer**:
21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
22
23### Investigating Potential LSASS Clone Creation via PssCaptureSnapShot
24
25PssCaptureSnapShot is a Windows API used for creating snapshots of processes, often for debugging. Adversaries exploit this to clone the LSASS process, aiming to extract credentials without detection. The detection rule identifies suspicious LSASS clones by monitoring process creation events where both the process and its parent are LSASS, signaling potential credential dumping attempts.
26
27### Possible investigation steps
28
29- Review the process creation event logs for the specific event code 4688 to confirm the creation of an LSASS process clone. Verify that both the process and its parent have the executable path "?:\\Windows\\System32\\lsass.exe".
30- Check the timeline of events to determine if there are any preceding or subsequent suspicious activities related to the LSASS process, such as unusual access patterns or modifications.
31- Investigate the user account and privileges associated with the process creation event to assess if the account has legitimate reasons to interact with LSASS or if it might be compromised.
32- Analyze network activity from the host to identify any potential data exfiltration attempts or connections to known malicious IP addresses following the LSASS clone creation.
33- Correlate this event with other security alerts or logs from the same host to identify if this is part of a broader attack pattern or isolated incident.
34- Examine the host for any signs of malware or tools commonly used for credential dumping, such as Mimikatz, that might have been used in conjunction with the LSASS clone creation.
35
36### False positive analysis
37
38- Legitimate security software or system management tools may create LSASS process snapshots for monitoring or debugging purposes. Identify these tools and create exceptions for their process creation events to avoid false positives.
39- System administrators or IT personnel might use authorized scripts or tools that interact with LSASS for legitimate reasons. Verify these activities and whitelist the associated processes to prevent unnecessary alerts.
40- During system updates or patches, certain processes might temporarily mimic suspicious behavior. Monitor these updates and temporarily adjust detection rules to accommodate expected changes in process behavior.
41- Some enterprise environments may have custom applications that interact with LSASS for performance monitoring. Document these applications and exclude their process creation events from triggering alerts.
42- Regularly review and update the list of known benign processes and tools that interact with LSASS to ensure that the detection rule remains effective without generating excessive false positives.
43
44### Response and remediation
45
46- Immediately isolate the affected host from the network to prevent further credential access or lateral movement by the adversary.
47- Terminate any suspicious LSASS clone processes identified by the detection rule to halt ongoing credential dumping activities.
48- Conduct a thorough memory analysis of the affected system to identify any additional malicious activities or tools used by the adversary.
49- Change all potentially compromised credentials, especially those with administrative privileges, to mitigate the risk of unauthorized access.
50- Review and enhance endpoint security configurations to ensure that LSASS process memory is protected from unauthorized access, such as enabling Credential Guard if applicable.
51- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach.
52- Implement additional monitoring and alerting for similar suspicious activities, focusing on process creation events involving LSASS, to improve early detection of future attempts."""
53references = [
54    "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
55    "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2",
56]
57risk_score = 73
58rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00"
59severity = "high"
60tags = [
61    "Domain: Endpoint",
62    "OS: Windows",
63    "Use Case: Threat Detection",
64    "Tactic: Credential Access",
65    "Data Source: Sysmon",
66    "Data Source: Windows Security Event Logs",
67    "Resources: Investigation Guide",
68]
69timestamp_override = "event.ingested"
70type = "eql"
71
72query = '''
73process where host.os.type == "windows" and event.code:"4688" and
74  process.executable : "?:\\Windows\\System32\\lsass.exe" and
75  process.parent.executable : "?:\\Windows\\System32\\lsass.exe"
76'''
77
78
79[[rule.threat]]
80framework = "MITRE ATT&CK"
81[[rule.threat.technique]]
82id = "T1003"
83name = "OS Credential Dumping"
84reference = "https://attack.mitre.org/techniques/T1003/"
85[[rule.threat.technique.subtechnique]]
86id = "T1003.001"
87name = "LSASS Memory"
88reference = "https://attack.mitre.org/techniques/T1003/001/"
89
90
91
92[rule.threat.tactic]
93id = "TA0006"
94name = "Credential Access"
95reference = "https://attack.mitre.org/tactics/TA0006/"