Potential LSASS Clone Creation via PssCaptureSnapShot

calendarApr 5, 2023  ·
Share on: linkedincopy

Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/11/27"
 3integration = ["windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/04/05"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS
13process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential LSASS Clone Creation via PssCaptureSnapShot"
20note = """## Setup
21
22This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.
23
24If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
25"""
26references = [
27    "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
28    "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2",
29]
30risk_score = 73
31rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00"
32severity = "high"
33tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38process where host.os.type == "windows" and event.code:"4688" and
39  process.executable : "?:\\Windows\\System32\\lsass.exe" and
40  process.parent.executable : "?:\\Windows\\System32\\lsass.exe"
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1003"
48name = "OS Credential Dumping"
49reference = "https://attack.mitre.org/techniques/T1003/"
50[[rule.threat.technique.subtechnique]]
51id = "T1003.001"
52name = "LSASS Memory"
53reference = "https://attack.mitre.org/techniques/T1003/001/"
54
55
56
57[rule.threat.tactic]
58id = "TA0006"
59name = "Credential Access"
60reference = "https://attack.mitre.org/tactics/TA0006/"

Setup

This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

to-top